The Phorpiex botnet is simple, but rather prolific

Phorpiex botnet simple prolific
Written by Valdis Koks

According to researchers at Check Point, the Phorpiex botnet was simple, but rather prolific: Phorpiex currently has more than 1 million infected Windows computers.

This botnet is mainly used to steal cryptocurrency and hidden mining. Illegal activity annually brings bot-operators about half a million dollars.

The tools used by Phorpiex are not too sophisticated. Obviously, not much time was spent on their development. This case shows us that such a massive botnet can be created by cybercriminals without a deep knowledge of system programming, cryptography, etc. But the ecosystem that currently exists in the Darknet makes it easy enough to implement almost any idea for cybercrime”, — report Check Point specialist.

Malicious bots have the ability to spread themselves and can also be downloaded using an exploit pack (RIG) or another malware (Smoke Loader).

The Phorpiex botnet is also known to the IS community under a different name – Trik.

Initially, the network was managed through IRC channels, and when it grew, the operators switched to HTTP. This year, observers from Check Point did not find a single active C&C server accessible via IRC, although there are still thousands of Trik resident bots sharpened for such a connection.

The modular malware that replaced Trik, on the basis of which the modern Phorpiex functions, is called Tldr. Its main purpose is to download additional files. Some samples of this malware are capable of independently spreading through removable media”, – explain researchers at Check Point.

Experts have also discovered Tldr variants with file virus functionality.

The new bot, like its predecessor, also knows how to work with the clipboard – to recognize the addresses of crypto-wallets and make a substitution in favor of its owners. Thanks to this, Phorpiex operators are able to generate revenue without additional effort and even when control centers are disconnected. According to Check Point, over the past three years, bot-operators have stolen in this way more than 17 bitcoins.

To mine digital currency, Tldr downloads the XMRig miner to the infected machine. According to experts, crypto-jacking brings bot-operators more than $14 thousand per month. They also provide distribution services for malware – ransomware (GandCrab), information thieves (Raccoon, Predator). Ransomware is not currently being downloaded; after the closure of the GandCrab RaaS service, Phorpiex operators switched to extortionist spam, which brought them more than 14 bitcoins in six months.

Read also: Phorpiex botnet sends out 30,000 sextortion letters per hour

The monthly amount of data exchanged by bots with control centers, according to Check Point, may exceed 70 TB. This is a solid traffic, and to hide the command infrastructure, bot-operators use dedicated subnets registered with dummies. As it turned out, Tldr refers to the same C&C servers that previously commanded Trik IRC bots. Their IP addresses and domain names are embedded in the malware code; this list is regularly updated.

Bots constantly check the activity of control centers, sorting through the positions of the list, and continue the survey, even after receiving a positive answer. Researchers managed to register a number of domains after analyzing Tldr samples with various configuration files. Having replaced C&C-servers, they daily recorded up to 100 thousand active bots (IP-addresses) and over two months counted more than 1 million unique hosts trying to establish a connection.

These foci of infection were mainly located in Asia, with a high concentration in India, China, Thailand and Pakistan. A number of bots also infiltrated the United States, Mexico and several African countries. The European Phorpiex population was negligible”, – report Check Point experts.

In general, monitoring the activity of this botnet in 2019 revealed more than 4,000 different Tldr samples, about 300 configuration file options and 3,297 C&C domains and IP addresses. Of the latter, IP 185[.]176[.]27[.]132 in block/24, allocated to a certain transport service provider in Kazan (Russia), with the introduction of traffic through Bulgaria, is currently most active.

About the author

Valdis Koks

Security engineer, reverse engineering and memory forensics

Leave a Comment