Where the Phorpiex-Botnet was previously closed, it now seems to have reappeared. The malware is now further developed, with a new peer-to-peer (P2P) command and control infrastructure. This does not make it any easier to track down the Botnet.
Already traced in 2016
In 2016, the botnet was the first to appear. In a relatively short time, the malware managed to embed itself in more than 1 million worldwide devices.
The malware is programmed to generate revenue for its developers by exchanging crypto addresses copied to the Windows clipboard with addresses under their control or by spamming emails to scare people into paying an extortion request. .
However, after the 5 years that the botnet was launched and developed, the Phorpiex operators shut down their infrastructure. Now they seem to want to sell the source code of the malware on a hacking forum. This was shared on the social medium of Twitter.
The source code for the Phorpiex botnet is being sold on the darknet…👀 pic.twitter.com/GxBsnUacvh
— Cyjax (@Cyjax_Ltd) August 27, 2021
Peer-to-Peer System
Now that the malware has evolved, the botnet can now operate without centralized command and control servers. Instead of these servers, the new malware variant has added a peer-to-peer system. This allows the various infected electronic devices to pass commands to each other from now on.
This means that any infected computer can theoretically serve as a server and give commands to other bots in the chain. This new P2P infrastructure also allows the operators to change the IP address of the main C2 servers if necessary, while keeping them hidden in a swarm of infected Windows machines.