Phorpiex Malware has Shut Down their Botnet and Put its Source Code for Sale

 

The Phorpiex malware's creators have shut down their botnet and are selling the source code on a dark web cybercrime forum. The ad states that none of the malware's two original authors are participating in maintaining the botnet, which is why they opted to sell its source code. It was posted on 27th August by an individual previously associated with the botnet's operation. 

Phorpiex, a long-running botnet notorious for extortion schemes and old-school worms delivered via removable USB drives and instant messaging programmes, has been broadening its architecture in recent years in order to become more durable and deliver more deadly payloads. 

These operations had extended to encompass bitcoin mining, which had previously included extortion and spamming. Researchers have noticed an upsurge in data exfiltration and ransomware delivery since 2018, with the bot installer releasing malware such as Avaddon, Knot, BitRansomware (DSoftCrypt/ReadMe), Nemty, GandCrab, and Pony, among others. 

“As I no longer work and my friend has left the biz, I’m here to offer Trik (name from coder) / Phorpiex (name fomr AV firms) source for sell [sic],” the individual said on Friday in a forum post spotted by British security firm Cyjax. 

The ad's legitimacy was confirmed by Alexey Bukhteyev, a malware reverse engineer for security firm Check Point. “The description of the malware is very similar to what we saw in the code,” Bukhteyev said. The malware's command and control (C&C) servers have been inactive for approximately two months, according to the researcher, who previously researched the Phorpiex virus in 2019. 

The last command the bot received from the Phorpiex C&C servers was on July 6, 2021, according to Bukhteyev, who has been running a phoney Phorpiex bot in order to spy on its operations. The command was a self-explanatory "SelfDeletion" instruction. The botnet appears to have vanished from open-source reports since then. 

"As we know, the source code is private and hasn’t been sold before. Therefore, this [forum ad] looks really believable,” Bukhteyev said. “However, we can be totally sure if we buy it. The binaries are quite straightforward, and we can easily confirm that the source code is for this bot indeed, if we get it."

Even if the botnet C&C servers are down, Bukhteyev warns that if someone buys the code, they can set up new ones and hijack all the already infected systems.