[BreachExchange] Phorpiex Malware has Shut Down their Botnet and Put its Source Code for Sale

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Tue Aug 31 08:18:58 EDT 2021


https://www.ehackingnews.com/2021/08/phorpiex-malware-has-shut-down-their.html

The Phorpiex malware's creators have shut down their botnet and are selling
the source code on a dark web cybercrime forum. The ad states that none of
the malware's two original authors are participating in maintaining the
botnet, which is why they opted to sell its source code. It was posted on
27th August by an individual previously associated with the botnet's
operation.

Phorpiex, a long-running botnet notorious for extortion schemes and
old-school worms delivered via removable USB drives and instant messaging
programmes, has been broadening its architecture in recent years in order
to become more durable and deliver more deadly payloads.

These operations had extended to encompass bitcoin mining, which had
previously included extortion and spamming. Researchers have noticed an
upsurge in data exfiltration and ransomware delivery since 2018, with the
bot installer releasing malware such as Avaddon, Knot, BitRansomware
(DSoftCrypt/ReadMe), Nemty, GandCrab, and Pony, among others.

“As I no longer work and my friend has left the biz, I’m here to offer Trik
(name from coder) / Phorpiex (name fomr AV firms) source for sell [sic],”
the individual said on Friday in a forum post spotted by British security
firm Cyjax.

The ad's legitimacy was confirmed by Alexey Bukhteyev, a malware reverse
engineer for security firm Check Point. “The description of the malware is
very similar to what we saw in the code,” Bukhteyev said. The malware's
command and control (C&C) servers have been inactive for approximately two
months, according to the researcher, who previously researched the Phorpiex
virus in 2019.

The last command the bot received from the Phorpiex C&C servers was on July
6, 2021, according to Bukhteyev, who has been running a phoney Phorpiex bot
in order to spy on its operations. The command was a self-explanatory
"SelfDeletion" instruction. The botnet appears to have vanished from
open-source reports since then.

"As we know, the source code is private and hasn’t been sold before.
Therefore, this [forum ad] looks really believable,” Bukhteyev said.
“However, we can be totally sure if we buy it. The binaries are quite
straightforward, and we can easily confirm that the source code is for this
bot indeed, if we get it."

Even if the botnet C&C servers are down, Bukhteyev warns that if someone
buys the code, they can set up new ones and hijack all the already infected
systems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210831/bd8bab5b/attachment.html>


More information about the BreachExchange mailing list