Check Point researchers have observed a new variant of the Phorpiex botnet targeting cryptocurrency users and stealing funds through a technique called “cryptocurrency clipping.”
Phorpiex has been a known threat since 2016, primarily conducted crypto-jacking, ransomware, cryptocurrency clipping, and sextortion spam campaigns. This past summer, the botnet’s command-and-control (C2) server activity dropped, according to the Check Point Research team. The C2 servers were shut down in July 2021; in August, an announcement from its owners said the Phorpiex was going out of business.
Less than two weeks later, the C2 servers were back online under a different IP address, spreading a bot that had never been seen before. This bot, dubbed “Twizt,” enables the botnet to operate without active C2 servers because it can run in peer-to-peer mode, the researchers explain. Each infected machine can act as a server and send commands to other bots in a chain.
Check Point’s telemetry revealed “an almost constant number of Phorpiex victims” that continued even when its C2 servers were inactive. The threat has been seen in 96 countries, with most victims in Ethiopia, Nigeria, and India. Numbers have started to increase in the last two months, the researchers report.
Its methods of monetization are the same. The botnet uses cryptocurrency clipping, or crypto-clipping, a method in which attackers steal cryptocurrency during a transaction by substituting the original wallet address saved in the clipboard with their wallet address. It’s common to use the clipboard to copy and paste a long cryptocurrency wallet address, they say.
“If a malware implements the crypto-clipping functionality, it can work successfully without any C&C servers,” researchers wrote in their blog post. “Therefore, when the Phorpiex C&C servers go down there is no down time because hundreds of thousands of bots remain installed and continue to steal victims’ money.”
They found 60 Bitcoin wallets and 37 Ethereum wallets used by the Phorpiex crypto-clipper. In the one-year period ending November 2021, Phorpiex bots hijacked 969 transactions and stole 3.64 Bitcoin, 55.87 Ether, and $55,000 in ERC20 tokens. The value of these stolen amounts in current prices is nearly $500,000 USD.
Read Check Point’s full writeup for more details.