The Phorpiex malware operators have announced that the botnet stopped working and have put its source code up for sale on a hacker forum, as Cyjax researchers noted.An announcement posted by a person previously associated with Phorpiex claims that neither of the two original malware developers were involved in the operation of the botnet, so it was decided to sell the source code.
Check Point specialist Alexey Bukhteev confirmed the accuracy of this announcement to the journalists of The Record.
A researcher who analysed Phorpiex back in 2019 said that the malware’s control servers have been down for almost two months. Bukhteev, who launched the fake Phorpiex bot in order to monitor its activities, told The Record that the last command the bot received from the servers on July 6, 2021 was “SelfDeletion”, that is, self-destruction.
At the same time, Bukhteev warns that even if the botnet’s command servers are not working at the time of purchase, after the purchase, new ones will be launched and all previously infected systems will be taken over.
It is not yet clear if the botnet will be bought by anyone. Overall, Phorpiex has a proven track record of making profits, primarily through its spam module and clipboard grabber to steal cryptocurrency.
For example, in 2019, a spam module helped botnet authors get more than $115,000 in profits when they were engaged in so-called “sextortion”. This tactic involves intimidating users: scammers send out spam, in which they try to convince their victims that they have some compromising images or videos, and demand a ransom.
The malware authors also successfully sold access to their bots to ransomware hack groups, and the now defunct Avaddon gang used Phorpiex to deploy their payloads on corporate networks more than once.
Let me remind you that Phorpiex is not the first malware to announce its termination in the past few months. So, in the spring the ransomware Ziggy “closed”, and its operators published the keys to decrypt the data and promised to return the money to the victims.
Then the Avaddon ransomware, whose keys were also published, stopped working. Earlier this month, the hack group El_Cometa, formerly known as SynAck, released master keys for decrypting data. And finally last week the ransomware Ragnarok closed and released a file decryption utility.
User Review( votes)