Check Point Research has discovered new attacks targeting cryptocurrency users in Ethiopia, Nigeria, India and 93 other countries. The cybercriminals behind the attacks are using a variant of the Phorpiex botnet — which Check Point called “Twizt” — to steal cryptocurrency through a process called “crypto clipping.”
Because of the length of wallet addresses, most systems copy a wallet address and allow you to paste it in during transactions simply. With Twizt, cybercriminals have been able to substitute the intended wallet address with the threat actor’s wallet address.
Researchers with Check Point said they have seen 969 transactions intercepted, noting that Twizt “can operate without active command and control servers, enabling it to evade security mechanisms,” meaning each computer that it infects can widen the botnet.
In the last year, they have seen 3.64 Bitcoin, 55.87 Ether, and $55,000 in ERC20 tokens stolen by Twizt operators, amounting to about $500,000. In one instance alone, 26 ETG was taken. Between April 2016 to November 2021, Phorpiex bots hijacked about 3,000 transactions worth nearly 38 Bitcoin and 133 Ether. The cybersecurity company noted that this was only a portion of the attacks taking place.
Phorpiex was originally known as a botnet used for sextortion and crypto-jacking but evolved to include ransomware. Check Point said Phorpiex has been operating since at least 2016 and was initially known as a botnet that operated using IRC protocol.
“In 2018-2019, Phorpiex switched to modular architecture and the IRC bot was replaced with Tldr — a loader controlled through HTTP that became a key part of the Phorpiex botnet infrastructure. In our 2019 Phorpiex Breakdown research report, we estimated over 1,000,000 computers were infected with Tldr,” Check Point explained.
In May, Microsoft’s Defender Threat Intelligence Team released a lengthy blog post warning that Phorpiex “began diversifying its infrastructure in recent years to become more resilient and to deliver more dangerous payloads.”
In August, the activity of Phorpiex command and control servers dropped sharply, and one of the people behind the botnet posted an ad on the darknet offering the source code for sale. Check Point’s Alexey Bukhteyev told The Record that even though the command and control servers were down, any buyer of the source code could set up a new botnet using all of the previously infected systems.
It is unclear if the botnet was actually sold, but Check Point said the command and control servers were back online at another IP address within weeks. When the command and control servers were restarted after their hiatus in August, they began distributing Twizt, which enables the botnet “to operate successfully without active command and control servers, since it can operate in peer-to-peer mode.”
“This means that each of the infected computers can act as a server and send commands to other bots in a chain. As a really large number of computers are connected to the Internet through NAT routers and don’t have an external IP address, the Twizt bot reconfigures home routers that support UPnP and sets up port mapping to receive incoming connections,” Check Point explained.
“The new bot uses its own binary protocol over TCP or UDP with two layers of RC4-encryption. It also verifies data integrity using RSA and RC6-256 hash function.”
Now, Check Point said the new features to Twizt make them believe the botnet “may become even more stable and, therefore, more dangerous.” Check Point has seen attacks stay consistent even when the command and control servers are inactive. Over the last two months, there has been an uptick in attacks, with incidents hitting 96 different countries.
Alexander Chailytko, cybersecurity research & innovation manager at Check Point Software, said two main risks are involved with the new variant of Phorpiex.
“First, Tiwzt is able to operate without any communication with C&C; therefore, it is easier to evade security mechanisms, such as firewalls, in order to do damage. Second, Twizt supports more than 30 different cryptocurrency wallets from different blockchains, including major ones such as Bitcoin, Ethereum, Dash, Monero,” Chailytko said.
“This makes for a huge attack surface, and basically anyone who is utilizing crypto could be affected. I strongly urge all cryptocurrency users to double-check the wallet addresses they copy and paste, as you could very well be inadvertently sending your crypto into the wrong hands.”
Check Point urged cryptocurrency owners always to double-check the original and pasted addresses to make sure they match. People should also send test transactions before any large trades.
Researchers said the Phorpiex crypto-clipper supports more than 30 wallets for different blockchains in the report. They also noted that the botnet operators may be in Ukraine because evidence indicates that the bot does not execute if the user’s default locale abbreviation is “UKR.”
Even though it served a variety of purposes, Check Point’s report says Phorpiex was originally not considered a sophisticated botnet.
“All of its modules were simple and performed the minimal number of functions. Earlier versions of the Tldr module did not use encryption for the payloads. However, this did not prevent the botnet from successfully achieving its goals. Malware with the functionality of a worm or a virus can continue to spread autonomously for a long time without any further involvement by its creators,” Check Point explained.
“We showed that a cryptocurrency clipping technique for a botnet of this scale can generate significant profits (hundreds of thousands US dollars annually) and does not require any kind of management through command and control servers. In the past year, Phorpiex received a significant update that transformed it into a peer-to-peer botnet, allowing it to be managed without having a centralized infrastructure. The command and control servers can now change their IP addresses and issue commands, hiding among the botnet victims.”