The operators of the Phorpiex malware have shut down their botnet and put its source code for sale on a dark web cybercrime forum, The Record has learned.
The ad, posted earlier today by an individual previously linked to the botnet’s operation, claims that none of the malware’s two original authors are involved in running the botnet, hence the reason they decided to sell its source code.
“As I no longer work and my friend has left the biz, I’m here to offer Trik (name from coder) / Phorpiex (name fomr AV firms) source for sell [sic],” the individual said today in a forum post spotted by British security firm Cyjax.
Alexey Bukhteyev, a malware reverse engineer for security firm Check Point, helped The Record today confirm the ad’s validity.
“The description of the malware is very similar to what we saw in the code,” Bukhteyev told us.
The researcher, who previously analyzed the Phorpiex malware back in 2019, said that the malware’s command and control (C&C) servers have not been active for almost two months.
Bukhteyev, who has been running a fake Phorpiex bot in order to spy on its activity, told The Record that the last command the bot received from the Phorpiex C&C servers was on July 6, 2021, and the command was a self-explanatory “SelfDeletion” instruction.
Since then, the botnet appears to have disappeared from open-source reporting.
“As we know, the source code is private and hasn’t been sold before. Therefore, this [forum ad] looks really believable,” Bukhteyev told The Record.
“However, we can be totally sure if we buy it. The binaries are quite straightforward, and we can easily confirm that the source code is for this bot indeed, if we get it,” the researcher added.
“One thing that points to that the seller is likely a real author is: ‘Main bot right now is FUD from windows defender‘, because all the modules I know currently get AV detections on VT even if they are uploaded there for the first time.”
Buyer gets access to all the Phorpiex infected systems too
However, Bukhteyev also warns that even if the botnet C&C servers are down, once someone buys the code, they can set up new ones and hijack all the previously infected systems.
“There are still a lot of infected machines = active bots. We can’t definitely say how many, but we constantly see many hits on our gateways,” the Check Point researcher added.
However, it is unclear if the botnet will be bought.
There’s both an upside and a downside to operating the botnet.
The upside is that the botnet has a tried and tested history of generating profits, primarily through its spam module and cryptocurrency clipboard hijacking feature.
For example, the spam module has helped the botnet’s authors generate more than $115,000 in profits from a classic sextortion scheme back in 2019.
The malware has also sold access to its infected bots to ransomware gangs, with the now-defunct Avaddon gang using Phorpiex bots to deploy their ransomware inside corporate networks last year.
“Also, the bot architecture allows the botmaster to passively earn some money from crypto-clipping (changing crypto-currency wallet addresses in the clipboard) even without any active C&C servers,” Bukhteyev also said.
The downside is, however, a pretty big one. The botnet isn’t as secure as other malware botnets and has often been hijacked by third parties to deploy their own payloads or issue rogue “uninstall” commands, something that may deter buyers.
Source: https://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/?web_view=true