Twizt botnet leads global attacks against crypto users

Phorpiex, a 1 million-strong botnet that has been used for sextortion and clipping attacks, has recently reappeared as a new variant, dubbed Twizt, is currently hitting cryptocurrency users in India, Nigeria, Ethiopia and 93 other countries 

When the Phorpiex botnet first launched in 2016, it primarily dealt with using its botnets to conduct large-scale, sextortion spam campaigns and crypto-clipping, although they also evolved to conducting ransomware attacks in recent years. 

It’s estimated that the threat actors made over 100,000 dollars per month by just tricking people into sending them crypto. In the past twelve months, threat actors behind Twizt and Phorpiex have hijacked 969 transactions via crypto-clipping. Recently, Twizt has managed to steal 3.64 Bitcoin (172,300 dollars), 55.87 Ether (216,000 dollars), and 55,000 dollars’ worth in ERC20 tokens with attacks. 

However, in 2021, the Phorpiex developers shut down their infrastructure and made an ad post for the botnet’s source code on a darknet forum in August, revealing it was for sale.  

It currently remains unconfirmed that the threat actors managed to sell their botnet malware, however, researchers from Check Point reportedly saw activity related to the botnet in September with the new variant’s command-and-control servers including new capabilities like peer-to-peer command-and-control infrastructure and extra payload capability, showing the botnet is still under active development. 

Check Point said in a report that “The emergence of such features suggests that the botnet may become even more stable and therefore, more dangerous”. 

The Twizt variant 

The variant has been called Twizt. Like Phorpiex, the Twizt bot malware variant often uses crypto-clipping, where the threat actors swap out cryptocurrency wallet addresses copied to the Windows clipboard with ones under their control, hoodwinking victims into sending them cryptocurrency during transactions. 

However, there are some key differences, with Twizt sporting some new features and upgrades over its predecessor like: 

• A peer-to-peer mode. 
• A data integrity verification system using the RSA and RC6-256 hash function. 
• A custom binary protocol (TCP or UDP) with two layers of RC4 encryption. 
• Ability to download extra payloads via commands from the C&C server or from a list of hard-coded base URLs and paths. 

The new malware variant allows the botnet to operate with a peer-to-peer command and control system instead of centralised command-and-control servers. This addition makes it so infected, ‘zombie’ devices relay commands to each other as a backup if the command and control servers go down, allowing bot commands and operations to continue uninterrupted. 

The peer-to-peer command infrastructure also allows the operators to change the IP address of the main C&C servers while remaining hidden, making them difficult to track and attribute blame. 

Furthermore, because of the bot malware’s ability to run without C&C, it makes it easier for it to evade security mechanisms like traditional and next-gen firewalls. Also, it means that even if the operators are caught, infected devices can still continue their malicious wallet redirections. 

Who’s impacted? 

The cryptocurrency wallets supported by the clipper of the latest Phorpiex version include well-known names like:  

• Bitcoin and Bitcoin Gold. 
• Lisk. 
• Polkadot. 
• Waves 
• Dash.  
• Monero. 
• Dogecoin. 
• Ethereum.  
• Litecoin. 
• Zilliqa. 
• ZCash  
• And many others. 

Check Point has managed to identify at least 60 Bitcoin and 37 Ethereum unique wallets used for crypto-clipping and confirmed that Dash, Zilliqa, Dogecoin and Monero have all been targeted by clipping attacks. 

“This makes for a huge attack surface, and basically anyone who is utilizing crypto could be affected,” Alexander Chailytko, Check Point’s cybersecurity research and innovation manager. 

How to protect your assets 

In order to safeguard yourself against threats like Phorpiex and Twizt, Check Point recommends that you: 

• Make sure to double-check if the pasted wallet address is the correct one when doing cryptocurrency transactions. 
• As a precaution, do a test transaction with a small amount of money you’re willing to lose first before sending large amounts. 
• Ensure your operating systems and installed applications are up-to-date with the latest fixes for vulnerabilities. 
• Due to the risk of scams, be careful not to accidentally click on ads when searching for cryptocurrency wallets and tools. 

Once a cryptocurrency transaction is done, it can’t be reversed. Retrieving stolen and coerced funds are only possible if law enforcement manages to get access to the threat actor’s wallet(s), and this isn’t a guarantee. 

In conclusion, it’s a best practice that potential victims take steps to prevent falling victim to attacks like these threats in the first place rather than simply counting on remediation and fund recovery efforts.