Check Point Analysts have noticedthat someone seems to have captured the backend instruction of the Phorpiex botnet (Trik) and is now removing spammer malware from infected hosts, warning victims of what is happening.
Infection warning pop-ups began to appear to users on the morning of January 23, 2020. At first, researchers and journalists decided that this was some kind of joke from the developers of the Phorpiex malvari, and thus they are trying to troll information security specialists. But it soon became clear that the same thing was happening on ordinary users' machines, and the pop-up window appears not only on virtual machines used as sandboxes for analyzing malvari.
Check Point experts talked to journalists of the publication Zdnet and put forward several theories about how this could happen. For example, Malvari operators can themselves turn off the botnet in such an unusual way; law enforcement agencies or an information security expert who decided to help the victims could intercept the botnet; a rival hacker could capture the botnet and is now trying to sabotage Phorpiex's work.
Another information security specialist who wanted to remain anonymous confirmed to reporters that Phorpiex developers really have some serious competitors who could take such a step.
“The Phorpiex botnet developer is extremely lazy and sloppy,” says an anonymous analyst, arguing that grabbing a botnet in the past was not difficult because of its simplified IRC-based control mechanism.
Let me remind you that Phorpiex is one of the most active spammer botnets to date. Phorpiex infects Windows machines and uses them as spam bots to send messages. Such spam campaigns provide constant support and growth of the botnet by infecting all new machines, but they also bring profit to the Malvari operators: other hack groups use the services of the Phorpiex botnet, whose team makes money in this way.
According to Check Point analysts, in the fall of 2019, approximately 450,000 infected computers entered the Phorpiex botnet. Among other things, botnet operators are engaged in the so-called “sexual extortion”. In English, the term sextortion, derived from the words sex (“sex”) and extortion (“extortion”), is used to indicate such activity. This tactic involves intimidating users: scammers send spam, in which they try to convince their victims that they have some incriminating images or videos, and demand a ransom.
Only massive sextortion spam mailings totaled up to 27 million emails per campaign (that is, some Phorpiex-infected machines sent up to 30,000 malicious emails per hour). Over five months of observation, Check Point analysts tracked more than 14 bitcoins (approximately $ 115,000), which victims of extortion transferred as ransoms to Phorpiex operators.