{
	"id": "8368bcc0-118c-4d43-845e-8e8a5f9ee446",
	"created_at": "2026-05-07T02:43:29.693856Z",
	"updated_at": "2026-05-07T02:44:10.953395Z",
	"deleted_at": null,
	"sha1_hash": "3c9beee956049cfb79f1fd3eac93457dce58f6f3",
	"title": "Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 149133,
	"plain_text": "Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of\r\ncrypto transactions\r\nBy alexeybu\r\nPublished: 2021-12-16 · Archived: 2026-05-07 02:31:10 UTC\r\nResearch by: Alexey Bukhteyev\r\nCheck Point Research (CPR) spotted the resurgence of Phorpiex, an old threat known for its sextortion\r\nspam campaigns, crypto-jacking, cryptocurrency clipping and ransomware spread\r\nThe new variant “Twizt” enables the botnet to operate successfully without active C\u0026C servers\r\nPhorpiex crypto-clipper supports more than 30 wallets for different blockchains\r\nIn one year, Phorpiex bots hijacked 969 transactions and stole 3.64 Bitcoin, 55.87 Ether, and $55,000 in\r\nERC20 tokens accounting for almost half a million in US dollars\r\nBackground\r\nPhorpiex, an old threat known since 2016, was initially known as a botnet that operated using IRC protocol (also\r\nknown as Trik). In 2018-2019 Phorpiex switched to modular architecture and the IRC bot was replaced with Tldr\r\n– a loader controlled through HTTP that became a key part of the Phorpiex botnet infrastructure. In our 2019\r\nPhorpiex Breakdown  research report, we estimated over 1,000,000 computers were infected with Tldr.\r\nPhorpiex is mostly known for its massive sextortion spam campaigns, crypto-jacking (cryptocurrency mining\r\ninfected machines), spreading ransomware, and cryptocurrency clipping. In the summer of 2021, the activity of\r\nPhorpiex command and control servers (C\u0026C) dropped sharply. The C\u0026C servers were shut down in July, and\r\nthere was no activity for about two months. On August 27 an announcement was spotted on an underground\r\nforum, allegedly from the botnet owners, that stated they were going out of business and sold off the source code.\r\nPhorpiex botnet sale announcement\r\nFigure 1 – Phorpiex botnet sale announcement\r\nFrom this announcement, we can hypothesize that the botnet was developed and controlled by two individuals. We\r\ndon’t know if the botnet was actually sold. However, less than two weeks later, the C\u0026C servers were back online\r\nat another IP address (185.215.113.66) of the same sub-network and later switched to 185.215.113.84:\r\nPhorpiex C\u0026C server IP addresses\r\nFigure 2 – Phorpiex C\u0026C server IP addresses\r\nSimultaneously, the C\u0026C servers started distributing a bot that had never seen before. It was called “Twizt” and\r\nenables the botnet to operate successfully without active C\u0026C servers, since it can operate in peer-to-peer mode.\r\nThis means that each of the infected computers can act as a server and send commands to other bots in a chain. As\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 1 of 22\n\na really large number of computers are connected to the Internet through NAT routers and don’t have an external\r\nIP address, the Twizt bot reconfigures home routers that support UPnP and sets up port mapping to receive\r\nincoming connections. The new bot uses its own binary protocol over TCP or UDP with two layers of RC4-\r\nencryption. It also verifies data integrity using RSA and RC6-256 hash function.\r\nThe emergence of such features suggests that the botnet may become even more stable and therefore, more\r\ndangerous.\r\nMalware prevalence and targets\r\nIn our telemetry throughout the year, we saw an almost constant number of Phorpiex victims, which persisted\r\neven during periods of the C\u0026C servers’ inactivity. The numbers began to increase over the last 2 months. In\r\n2021, Phorpiex bots were found in 96 countries. Most Phorpiex victims are located in Ethiopia, Nigeria and India:\r\nPhorpiex victims in 2021 grouped by country\r\nFigure 3 – Phorpiex victims in 2021 grouped by country\r\nThousands of victims, hundreds of thousands dollars lost\r\nAside of the new version of the bot, the methods of monetization have not changed. In our previous research, we\r\nfocused on sextortion campaigns and cryptocurrency mining. At that time, Phorpiex’s revenues from crypto-clipping were not very significant.\r\nSo, what is crypto-clipping? Cryptocurrency clipping (or crypto-clipping) is stealing cryptocurrency during a\r\ntransaction, by substituting the original wallet address saved in the clipboard with the attacker’s wallet address.\r\nWhen we browse the Internet, we use human-readable domain names that are easy to remember. However, in all\r\npopular blockchains there are no analogues for domain names, and the addresses are too long to be typed\r\nmanually. For example, an address on Ethereum looks like this:\r\n0x4f4b547309a9Ca52B154E19489cc9A3e3BD60dEf\r\nTherefore, it’s common to use the clipboard to copy and paste such a long address. When the victim of the crypto-clipper pastes the wallet address, they unknowingly paste the attacker’s address instead. With the growing\r\npopularity of blockchain technology, cryptocurrency clipping carries an increasing risk of large financial losses.\r\nInfostealers, and remote access Trojans rely on C\u0026C servers to get commands and send stolen data. If a malware\r\nimplements the crypto-clipping functionality, it can work successfully without any C\u0026C servers. Therefore, when\r\nthe Phorpiex C\u0026C servers go down there is no down time because hundreds of thousands of bots remain installed\r\nand continue to steal victims’ money.\r\nShutting down the botnet’s command and control infrastructure and arresting its authors will not protect those who\r\nare already infected with Phorpiex. Due to the nature of the blockchain the stolen money cannot be returned if we\r\ndo not know the private keys of the wallets used by the malware.\r\nBy The Numbers\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 2 of 22\n\nThe Phorpiex crypto-clipper supports over 30 wallets for different blockchains, including Bitcoin, Ethereum,\r\nDogecoin, Dash, Monero, and Zilliqa. We focused only on the most popular blockchains – Bitcoin and Ethereum.\r\nWe managed to find 60 unique Bitcoin wallets and 37 Ethereum wallets used by the Phorpiex crypto-clipper.\r\nMany wallets have been active for several years. An outstanding example is the Bitcoin wallet\r\n1DYwJZfyGy5DXaqXpgzuj8shRefxQ7jCEw that first appeared in 2018 in Phorpiex bots. The C\u0026C servers for\r\nbots that use this wallet are offline. However, the bots are still active. The wallet received 11 Bitcoins in more than\r\n500 transactions:\r\nOne of Phorpiex Bitcoin wallets\r\nFigure 4 – One of Phorpiex Bitcoin wallets\r\nIn a one-year period between November 2020 to November 2021, Phorpiex bots hijacked 969 transactions and\r\nstole 3.64 Bitcoin, 55.87 Ether, and $55,000 in ERC20 tokens. In 2021, the price of Bitcoin and Ethereum\r\nincreased significantly. The value of the stolen assets in current prices is almost half a million US dollars.\r\nHowever, between April 2016 to November 2021, Phorpiex bots hijacked approximately 3000 transactions with a\r\ntotal value of approximately 38 Bitcoin, and 133 Ether.\r\nNumber of Bitcoin and Ethereum transactions\r\nhijacked by Phorpiex bots per month over the time\r\nFigure 5 – Number of Bitcoin and Ethereum transactions hijacked by Phorpiex bots per month over the time\r\nThe total value of the stolen money could be even higher because we didn’t include other blockchains in our\r\nresearch.\r\nThe average stolen value in hijacked transactions is not very large and decreases when the cryptocurrency price\r\nrises. The following chart shows how the average amount hijacked changes over time:\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 3 of 22\n\nAverage hijacked Ethereum transaction\r\nFigure 6 – Average hijacked Ethereum transaction\r\nSeveral times Phorpiex was able to hijack large amounts transactions. The largest amount for an intercepted\r\nEthereum transaction was 26 ETH:\r\nThe largest hijacked Ethereum transaction\r\nFigure 7 – The largest hijacked Ethereum transaction.\r\nIn some cases, users tried to send cryptocurrency multiple times but ended up sending it to the cybercriminals’\r\nwallet instead.\r\nPhorpiex Twizt technical details\r\nTwizt got its name from the mutex used by the first bot that appeared in the wild:\r\nNew bot uses the mutex name “TWiZT”\r\nFigure 8 – New bot uses the mutex name “TWiZT”\r\nWe do not describe the initialization steps and persistence methods here because they are almost the same as those\r\nused in the Tldr bot. We’ll focus on the distinctive features of the new bot.\r\nLocale checks\r\nSome recent samples of the bot (MD5: ec96bcc50ca8fa91821e820fdfe30915) check for the user’s default locale.\r\nThe bot does not execute if the user’s default locale abbreviation is “UKR” (Ukraine).\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 4 of 22\n\nTwizt bot checks user’s default locale\r\nFigure 9 – Twizt bot checks user’s default locale\r\nThis may be a sign that the botnet operators are from the Ukraine, as usually cybercriminals avoid distributing\r\nmalware in their country of origin.\r\nRouter reconfiguring using UPnP\r\nThe malware uses SSDP to discover gateway devices in the local network of the targeted computer. It sends an\r\n“M-SEARCH” request to 239.255.255.250:1900 through UDP transport\r\nTwizt bot discovers gateway devices in the local\r\nnetwork using SSDP\r\nFigure 10 – Twizt bot discovers gateway devices in the local network using SSDP\r\nIf the targeted computer is connected to the Internet using a router with UPnP enabled, the response contains its IP\r\naddress within the local network. For example:\r\nHTTP/1.1 200 OK\r\nCACHE-CONTROL: max-age=120\r\nST: urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\nUSN: uuid:17271680-1dd2-11b2-b1be-283b822841ed::urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\nEXT:\r\nSERVER: D-Link/Russia UPnP/1.1 MiniUPnPd/1.8\r\nLOCATION: http ://192.168.0.1:50680/rootDesc.xml\r\nOPT: \"http ://schemas.upnp.org/upnp/1/0/\"; ns=01\r\n01-NLS: 1\r\nBOOTID.UPNP.ORG: 1\r\nCONFIGID.UPNP.ORG: 1337\r\nThe malware queries the local router using the supplied URL and parses the XML response. It searches for one of\r\nthese services:\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 5 of 22\n\nurn:schemas-upnp-org:service:WANIPConnection:1\r\nurn:schemas-upnp-org:service:WANPPPConnection:1\r\nand extracts the “controlURL”:\r\n\u003cservice\u003e\r\n \u003cserviceType\u003eurn:schemas-upnp-org:service:WANIPConnection:1\u003c/serviceType\u003e\r\n \u003cserviceId\u003eurn:upnp-org:serviceId:WANIPConn1\u003c/serviceId\u003e\r\n \u003cSCPDURL\u003e/igd_wic.xml\u003c/SCPDURL\u003e\r\n \u003ccontrolURL\u003ehttp ://192.168.0.1:50680/upnp/control?WANIPConnection\u003c/controlURL\u003e\r\n \u003ceventSubURL\u003ehttp ://192.168.0.1:50680/upnp/event?WANIPConnection\u003c/eventSubURL\u003e\r\n\u003c/service\u003e\r\nThe “controlURL” is then used to add UDP and TCP port mapping for the port used by the malware (we\r\nobserved ports 48755, 40555, 40500):\r\nTemplate of the request sent to configure port\r\nmapping\r\nFigure 11 – Template of the request sent to configure port mapping\r\nIt enables the malware to receive incoming connections from other bots even if the infected computer is behind a\r\nNAT router.\r\nCrypto-clipping\r\nCrypto-clipping is implemented differently than it was in Tldr. The Twizt bot creates a message-only window\r\n(HWND_MESSAGE as the parent windows handle) with a random classname. The clipboard swapping function\r\nis registered as a window procedure:\r\nCreating a message-only window\r\nFigure 12 – Creating a message-only window\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 6 of 22\n\nThe new malware version supports 35 types of wallets. Because of wide variation it has become more difficult to\r\nidentify the corresponding crypto-currencies:\r\nList of cryptocurrency wallets used by Twizt\r\nFigure 13 – List of cryptocurrency wallets used by Twizt\r\nFrom the Phorpiex botnet sale announcement, we learned that the crypto-clipper supports the following\r\nblockchains and services:\r\nLISK, POLKADOT, BITCOIN, WAVES, DASH, DOGECOIN, ETHEREUM, LITECOIN, RIPPLE,\r\nBITTORRENT, ZCASH, TEZOS, ICON, QTUM, RAVENCOIN, NEM, NEO, SMARTCASH, ZILLIQA,\r\nZCASH PRIVATE, YCASH, BITCOIN CASH, COSMOS, MONERO, CARDANO, GROESTLCOIN,\r\nSTELLAR, BITCOIN GOLD, BAND PROTOCOL, PERFECT MONEY USD, PERFECT MONEY EURO,\r\nPERFECT MONEY BTC.\r\nCommunication protocol\r\nThe Twizt bot communicates using its own binary protocol over TCP or UDP. The protocol allows it to connect to\r\nthe C\u0026C server as well as other infected machines and get commands from them if the main C\u0026C server is\r\nunavailable. Early versions of the Twizt bot only had one hard-coded IP address for the C\u0026C server.\r\nLater, the Twizt bot binary got an embedded list of IP-addresses for 512 nodes in its configuration. In addition, it\r\nstill received the updated list of nodes from another node or from the C\u0026C server.The Twizt bot has the capability\r\nto exchange encrypted messages with other nodes.\r\nTwizt bot raw communication example\r\nFigure 14 – Twizt bot raw communication example\r\nMessages use several layers of encryption for important data. Each encrypted message has a very simple format:\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 7 of 22\n\nThe data is encrypted with the hard-coded key “twizt)”, which is the same in all the researched samples. The\r\ndecrypted message looks like this:\r\nDecrypted message from the bot\r\nFigure 15 – Decrypted message from the bot\r\nRegardless of the message direction, it has the following mandatory fields:\r\nMurmurhash3 – The hash value is calculated for the entire decrypted message (excluding the hash field\r\nitself). If the hash is invalid, the message is not processed by the node.\r\nRandom number – This is likely added to make every message unique. If this field is omitted, all\r\nencrypted messages that carry the same payload would also be the same, and could be easily detected as\r\nmalicious traffic.\r\nNodeA SID / NodeB SID – A local or remote node unique session identifier, generated randomly by the\r\nnode.\r\nMessage Type – Determines the kind of payload carried by the message.\r\nFlag – Unknown, can be 0 or 1.\r\nPayload size – Cannot be less than 8.\r\nPayload – May have different lengths and formats and may vary depending on the Message Type field.\r\nThe payload also includes a NodeA SID/NodeB SID field and the payload data. The NodeB SID field may\r\ncontain a local or remote node unique session identifier. In the first request, this value is 0 (8 bytes). In\r\nother requests, it may take values provided by another node or can be set to this node SID depending on the\r\nMessage Type.\r\nThese message types are supported:\r\n00 00 00 00 – Beaconing message\r\n01 00 00 00 – Update node list\r\n02 00 00 00 – Node list update acknowledge\r\n03 00 00 00 – Download and execute\r\nCommunication flow\r\nThe following diagram shows the communication flow between two nodes:\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 8 of 22\n\nExample of Twizt bots communication flow\r\nFigure 16 – Example of Twizt bots communication flow\r\nIn the picture above, “Node A” represents a local node (client); “Node B” represents a remote node (server). After\r\nperforming a full exchange cycle, the malware continues communication with the beaconing message.\r\nBeaconing message (Node A -\u003e Node B)\r\nCommunication starts with a beaconing message sent by the client (the node that initiates the connection). This\r\ntype of message has the following features:\r\nNodeA SID – Set to a pre-generated random number.\r\nMessage type – Equal to 0.\r\nPayload size – Is always 8.\r\nThe payload contains the fields:\r\nNodeB SID – Is 4 zero bytes.\r\nPayload data – Is 4 zero bytes.\r\nBeaconing message example\r\nFigure 17 – Beaconing message example\r\nUpdate node list (Node B -\u003e Node A)\r\nThe server in reply to the first valid beaconing message usually sends this message. In the Update node list\r\nmessage:\r\nNodeA SID – Set to the value previously provided by the client\r\nMessage type – Equal to 1\r\nThe payload contains the fields:\r\nNodeB SID –  The number generated by the server\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 9 of 22\n\nPayoad data – Contains a list of nodes\r\nRSA trailer – 256-bytes RSA-encrypted trailer. Contains data that is not used by the malware in this\r\nmessage type.\r\nExample of updated node list message\r\nFigure 18 – Example of updated node list message\r\nThe payload data contains a list of 24-byte structures containing the node IP addresses. The list is prepended by\r\nthe number of nodes (0x10 in the example above) and 4 zero bytes. Every entry in the list has the following\r\nformat:\r\nThe Rank field shows how many seconds elapsed since the node was online. The nodes are sorted in ascending\r\norder of rank. The C\u0026C server (or another node) sends the client the list of 16 nodes that were recently online.\r\nAfter sending this message, the remote host also sends a message with the code 0 (beaconing message). However,\r\nthe fields NodeA SID and NodeB SID swap places:\r\nBeaconing message sent after the Update node list\r\nmessage\r\nFigure 19 – Beaconing message sent after the Update node list message\r\nNode list update acknowledge (Node A -\u003e Node B)\r\nAfter receiving the node list, the client sends the acknowledge message. Please note that NodeB SID goes first in\r\nthese messages.\r\nIn the Node list update acknowledge message:\r\nMessage type – Equal to 2.\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 10 of 22\n\nUpdate nodes acknowledge message example\r\nFigure 20 – Update nodes acknowledge message example\r\nThe client then sends the Update node list message that includes its list of the top active nodes:\r\nMessage type – Equal to 1.\r\nUpdate node list message sent by the client\r\nFigure 21 – Update node list message sent by the client\r\nThis enables both the client and the server to exchange their lists of nodes.\r\nRun command (Node B -\u003e Node A)\r\nIn response to the Update node list message from the client, the server may send a command to download and run\r\nanother executable file. NodeB SID goes first in this kind of a message.\r\nMessage type – Equal to 3.\r\nRSA-encrypted data – 256-bytes buffer that can be decrypted with the RSA public key from the malware\r\nconfiguration. This buffer is equal to the RSA trailer from the Update node list message. The buffer\r\ncontains the RC4-key and the hash value required to verify integrity and decrypt the command body with\r\nRC4-ecnrypted URLs.\r\nRC4-encrypted URLs – Encrypted command body that contains one or several RC4-encrypted URLs to\r\ndownload the files to execute.\r\nExample of run command message\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 11 of 22\n\nFigure 22 – Example of run command message\r\nThe RSA-encrypted data is decrypted using the RSA public key from the malware configuration. The decrypted\r\ndata has the following format and contains the 20-byte length RC4-key used to decrypt the command data (the\r\nURL for in this case), and the MD6-512 hash (64 bytes) of the RC4-encryted data. The rest of the data that\r\nfollows the MD6 hash is not used.\r\nRSA-decrypted content of the Run command\r\nmessage\r\nFigure 23 – RSA-decrypted content of the Run command message\r\nThe “Unknown1” and “Unknown2” fields from the RSA-buffer have an unknown purpose that are not used\r\nduring the command parsing. The “Encrypted data length” field contains the length of the RC4-encrypted data.\r\nAfter decrypting the RSA-buffer, we can also decrypt the URL. The entire decryption flow is listed below:\r\nDecryption and integrity verification flow for the\r\nRun command message\r\nFigure 24 – Decryption and integrity verification flow for the Run command message\r\nWe can’t create the RSA-encrypted data, because we don’t have the private key. However, if we extract the RC4-\r\nkey from the RSA-encrypted data received from the C\u0026C server, we can encrypt the fake URL using this key. The\r\nbot can successfully decrypt the fake URL, but the command will not be executed because it verifies the message\r\nintegrity using the 64-byte MD6 hash value that is also stored in the RSA-encrypted data (see Figure 24).\r\nUsing the modified MD6-512 algorithm, Twizt calculates the 64-byte hash value from the RC4-encrypted URLs\r\n(indicated by the red box in Figure 24) and compares it with the reference value from the RSA-encrypted data. If\r\nthe values are not equal, the command is not executed.\r\nMD6 hash verification\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 12 of 22\n\nFigure 25 – MD6 hash verification\r\nAn early Twizt version supported only one URL. Newer versions of the Twizt bot support multiple URLs in the\r\nfollowing format:\r\nd|http ://185.215.113[.]84/alfa_|http ://185.215.113[.]84/beta_\r\nThe character “d” in the prefix likely means, “download”. At this moment, only the “download” command is\r\nsupported:\r\nParsing the decrypted command body\r\nFigure 26 – Parsing the decrypted command body\r\nNode list file\r\nAs Twizt is a peer-to-peer bot, it needs to store data about other known nodes and the commands that it receives\r\nwhile distributing it further. When the malware receives an updated list of nodes, it saves this list into a hidden\r\nconfiguration file “nodescfg.dat” located in the %userprofile% directory:\r\nNodes configuration file path\r\nFigure 27 – Nodes configuration file path\r\nThe node data is stored (not encrypted) in the 8-byte structures:\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 13 of 22\n\nThe “Last access timestamp” field is the number of seconds since 1980 to the moment when the node was last\r\nonline. It’s obtained using the NtQuerySystemTime and RtlTimeToSecondsSince1980:\r\nSetting the last access timestamp for a node that is\r\naccessed successfully\r\nFigure 28 – Setting the last access timestamp for a node that is accessed successfully.\r\nHere is an example of the node list file content:\r\nNode list file format\r\nFigure 29 – Node list file format\r\nThe file with the list of nodes is loaded when the malware is launched. In this way, the bot saves a list of nodes for\r\nuse after a reboot.\r\nCommand configuration file\r\nWhen the Twizt bot receives a command from the C\u0026C server or another node, it saves the command to the file\r\n“cmdcfg.dat” located in the %userprofile% directory. The command is saved in the same form as it was\r\nreceived from the server. Therefore, it includes the RSA-encrypted header and the RC4-encrypted command data.\r\nCommand configuration file format\r\nFigure 30 – Command configuration file format\r\nWhen the malware acts as a server, it sends the data loaded from the command configuration file unchanged. This\r\nallows the bots to exchange the commands received from the C\u0026C server without having the RSA private key to\r\nsign the commands.\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 14 of 22\n\nDownloader\r\nThere are two cases when Twizt bot can download additional payloads.\r\nThe first option is using a hard-coded base URL and a list of paths. Twizt consequently tries to download payloads\r\nusing the resulting URLs. Twizt typically uses six paths. We observed the following path combinations:\r\n“a_”, “b_”, “c_”, “d_”, “e_”, “f”\r\n“alpha_”, “beta_”, “gamma_”, “delta_”, “epsilon_”, “zeta_”\r\n“1”, “2”, “3”, “4”, “5”, “6”\r\nThe malware goes over the paths and checks them one by one appended to the base URL\r\n(“http://185[.]215.113.84/” and “http://185[.]215.113.84/twizt/” in the analyzed samples). The delay between the\r\nchecks is 1 second.The download attempts are performed in an infinite loop in a separate thread. Twizt uses a long\r\ndelay of 90 seconds between the download cycles:\r\nDownloading payloads from URLs stored in the\r\nsample\r\nFigure 31 – Downloading payloads from URLs stored in the sample\r\nThe second case, when Twizt can download additional payloads, is when it receives the corresponding command\r\nfrom the C\u0026C server or another node. Before trying to download the payload, the malware checks its size. The\r\npayload will not download if its size is less than 5000 bytes.\r\nThe malware expects to receive an encrypted file, which is saved in the “%temp%” folder under the name\r\n“%temp%\\{n1}{n2}.exe”, where {n1} and {n2} are random numbers between 10000 and 40000. Twizt uses the\r\nfollowing User-agent header to download files:\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82\r\nPayload decryption\r\nAfter the payload downloads, it is saved in the original encrypted form. The malware maps the file data into the\r\nmemory using CreateFileMapping/MapViewOfFile. The first 256 bytes of the file is the RSA encrypted header.\r\nThe payload data is decrypted using the 16-bytes RC4 key from the header.\r\nLet’s consider the sample with MD5 hash “9fa3010c557db8477aec95587748dc82” contains the following RSA\r\npublic key:\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 15 of 22\n\nN = 0xa6e5d02b03a9d9613b9e5df849618cbdc20e8f208eb67d60b21977c3768d1b8ffa42314097a455ff94d9726b2560598366d5f9119\r\nE = 0x010001\r\nAfter communicating with the C\u0026C server the bot downloaded a file with MD5 hash\r\n“43750aaa981077dde08d61fe2b7d1578” from the URL “http://185[.]215.113.84/xgettin“.\r\nThe file starts with the RSA-encrypted header with a length of 256 bytes:\r\nEncrypted content of the file downloaded by\r\nPhorpiex\r\nFigure 32 – Encrypted content of the file downloaded by Phorpiex\r\nAfter decrypting the header using the RSA public key, it has a very simple format:\r\nWe can use the RC4 key from the header to decrypt the payload:\r\nDecryption of the file downloaded by Phorpiex\r\nFigure 33 – Decryption of the file downloaded by Phorpiex\r\nWhen the payload is prepared on the C\u0026C server, the murmurhash3 128-bit value of the non-encrypted payload\r\nis used as the RC4-key during the payload encryption. Twizt calculates the murmurhash3 value of the decrypted\r\npayload and compares it with the RC4-key. The malware executes the payload only if the values are the same:\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 16 of 22\n\nIntegrity verification of the downloaded file\r\nFigure 34 – Integrity verification of the downloaded file\r\nConclusion\r\nUntil recently, Phorpiex was not considered a sophisticated botnet. All of its modules were simple and performed\r\nthe minimal number of functions. Earlier versions of the Tldr module did not use encryption for the payloads.\r\nHowever, this did not prevent the botnet from successfully achieving its goals.\r\nMalware with the functionality of a worm or a virus can continue to spread autonomously for a long time without\r\nany further involvement by its creators. However, in most cases the creators need to use C\u0026C servers to control\r\nthe bots to be able to profit from the botnet. We should note that for a botnet on the scale of Phorpiex, it is quite\r\ndifficult to find reliable hosting that does not block the C\u0026C server. The creators are further disadvantaged if the\r\nIP addresses of the C\u0026C servers are added to deny-lists, thereby reducing the efficiency of controlling the botnet.\r\nChanging the IP address of the C\u0026C server can be very difficult.\r\nThe Phorpiex botnet uses techniques that effectively achieve its goals without C\u0026C servers. In our report, we\r\nshowed that a cryptocurrency clipping technique for a botnet of this scale can generate significant profits\r\n(hundreds of thousands US dollars annually), and does not require any kind of management through C\u0026C servers.\r\nIn the past year, Phorpiex received a significant update that transformed it into a peer-to-peer botnet, allowing it to\r\nbe managed without having a centralized infrastructure. The C\u0026C servers can now change their IP addresses and\r\nissue commands, hiding among the botnet victims.\r\nTips to stay safe\r\n1. When users copy and paste a crypto wallet address, always double check that the original and pasted\r\naddresses match.\r\n2. Before sending large amounts in crypto, first send a probe “test” transaction with minimal amount.\r\n3. Keep operating system updated, do not download software from unverified sources.\r\n4. Skip the ads. If you are looking for wallets or crypto trading and swapping platforms in the crypto space,\r\nalways look at the first website in your search and not in the ad. These may mislead you as CPR has found\r\nscammers using Google Ads to steal crypto wallets.\r\n5. Always double-check the URLs!\r\nCheck Point Protections\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 17 of 22\n\nCheck Point Infinity is a unified security architecture that delivers real-time threat prevention of both known and\r\nunknown threats, simultaneously protecting the network, cloud, endpoints and mobile and IoT devices, and\r\nprovides protections against this threat.\r\nThreat Emulation protections:\r\nWorm.Win.Phorpiex.gl.O\r\nWorm.Win.Phorpiex.ZF\r\nAnti-Bot protections:\r\nWorm.Win32.Phorpiex.C\r\nWorm.Win32.Phorpiex.D\r\nWorm.Win32.Phorpiex.H\r\nAppendix A: Indicators of Compromise\r\nSHA256:\r\n4151d9af5a104eea9106b18d35102f3b11134d7ba598e1fd57580a932d4596fa\r\nd5516838dbec985f8e893bb145b364ee3f6060dec3d30967b21309041283dfd1\r\n4b355796a710bec51e37958a39ca0fb28f462f80b15b3e42162bf47cdf0fca79\r\nf3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc\r\n7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e\r\n143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682\r\n197286269fe0f8ef718beb337945c88e3b88683ff39c05137b71d7cd662c7ddd\r\n7356a7c98588b980302a5f2340b56f75a13bdac613f7c22b62eeb4590896e506\r\n555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99\r\n96c57e456b9cd614a632edd4563ac70cb08fc34db2c2398c2c9aaa4ed920445f\r\n8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9\r\n1d69a55baba58f62b1448b92859a39272ba42d171f390749ca8ba9c27e74b010\r\n313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316\r\n8f7bbcb3ac44aa48df92b65b7ef40c341ed80df2710668d5ac6b7207c00b581d\r\ncf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254\r\nb4a5ecd4285c5431b486740ce111211df90486d4ba1fe189e5cbbcd02ec72ed3\r\n68ca21ebaec1f7a40e25b348e8275c56b7fede56ea30ec2215c535f63d5f04da\r\n5fae9e2f6fc2e95b5f6be3c8c0d3a76cebf18a2526913d21c67bb98be35f8247\r\n63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3\r\n8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 18 of 22\n\n37c35d63111e22bb37ed6b22e5886b5178e3bdac3b50977a5aa029accfa5b195\r\n3919509ed00956ca7eb30eb7717c24fcfe1da4ca6403ce68d07d5ddab43bc70c\r\nC\u0026C servers:\r\n185.215.113[.]84\r\n185.215.113[.]66\r\n185.215.113[.]93\r\nthaus[.]ws\r\ngotsomefile[.]top\r\ngeauhouefheuutiiiw[.]top\r\naegieuueueuuruia[.]ru\r\ntoruuoooshfrohfe[.]su\r\ngimmefile[.]top\r\nAppendix B: Cryotcurrency wallets\r\nBitcoin address Transactions Total value (BTC)\r\n1DYwJZfyGy5DXaqXpgzuj8shRefxQ7jCEw 577 11.77038853\r\n1of6uEzx5qfStF1HrVXaZ1eE3X4ntnbsx 313 5.85069371\r\n1EN3bbs8UdVWA3i3ixtB9jQWvPnP9us4va 158 0.84886532\r\n19mduWVW9QphW5W2caWF84wcGVSmASRYpf 157 2.97800426\r\n3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJ 84 0.36248146\r\n1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv 82 0.56571843\r\n1FGzLF98d6Uv7P4YH7J4FF4bU599qtZNSk 71 0.78717836\r\n1MaN4Me35n1kM6h7JVPNUQYqYgjasEQLzs 64 0.70780188\r\n1BdhCwNFzNbWoJvxrok6V7z2af7xjJLS58 51 0.45619053\r\n1Bn4JYKoVgQpZ73doWVFSNZBbwKj3cpJNR 48 0.31075967\r\n13cQ2H6oszrEnvw1ZGdsPix9gUayB8tzNa 43 0.31093935\r\n1Gx8oRKKczwdB32yiLzVx5hsjAze6g5HHw 42 0.42138444\r\n17SBPhXtH8AxszbyEPPvFaazef6Cpup7Rg 42 0.62145355\r\n1CUhtfNjsGMZziCVzZ4oVan9NCGriY4NDZ 42 0.2527719\r\n1L6sJ7pmk6EGMUoTmpdbLez9dXACcirRHh 42 0.33589533\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 19 of 22\n\n19B5G1ftgXRrD6GiTzThL9BiySVdf1HJZy 35 0.73827173\r\n1CpQYTKfiYj8ZoXUmz1DAohjJVsDzGpgbx 33 0.83727682\r\n18qKrmaUXaEgbYEn6yMkGKNcqkYB3mSxNv 31 1.60713638\r\n3JHbgxWSZzvG73eeMZuTvV8LaCwPaSwH5e 30 0.04118681\r\n1C2SvtsUu8YZVUBbha4KiBGYRW5dwtrRvd 28 0.20058421\r\n1Kzhh4nqyjB3MAoQ5uH2Bcdz3qXWpnsMzd 26 3.39173817\r\n1LdFFaJiM7R5f9WhUEskVCaVokVtHPHxL5 25 0.11162833\r\n18xjALsLW57DQcXSgvGE8H9iXkXYvPjSWc 20 0.20561805\r\n3NShfYPbqkPmPkXEgJ1SGUYgSjxt1Robhs 19 0.07829182\r\n3PZxHk9t7qRT36R4U1imFAzMrPixLP2S5G 19 0.28756791\r\n1GWTDV99ErrCDN6HUXsStubzZbVuhgftmN 19 0.14624533\r\n18bzpjFfo5JQ41GzzUNRMgcE7WwQwpqFrR 18 0.12136941\r\n19KXPyopGnfZ1dGjLpPPqbo7Jpqki9A9mW 17 0.25350157\r\n13vFjyWgurTopaVmQfgEpiRkHLNc2JMrmL 16 0.08363811\r\n39t2ndtRZKxHPHaprbe6kPaws4vs1nWA94 13 0.011934\r\n18mqohvm3hNusjZ6uBYm1E3bWHgorquaMi 13 0.10253479\r\n38i9rSGLo2KY2HJK249AykR24rVPdz75RS 12 0.04370092\r\n14GJm9M5zaX6Zyojt5yxNZcdoouJ4WPAgT 11 0.11214492\r\n1zWNk4zqRLxMnsjFv6rtsoQrCvcfvMvrM 11 0.13272838\r\n1DhR14ZJtGzfdeemj49Jje6D3ZHEZQh6P3 11 0.246914\r\n3QYPr4imJFmd3c2htT4d3pRuxkSjcXdr95 11 0.04259855\r\n3QYAhRw1WcPMZLYP61n516JeLE2DX9yysW 10 0.07399403\r\n1LaVtKqJatoeAHkHEgp9UF2fJEarEdZPr9 9 0.37694525\r\n15xK9eLYeLNCQVG7uTZkJGZACQGuhk8E3H 8 0.36191407\r\n13M4LtnAhnt6cd78JndfAdoYE4CevjPT4B 8 0.01213431\r\n3EFYP3eiRcnjJAraEYxfVuKsUqcEmTGFot 7 0.06086802\r\n1JPXx7iDdW6oSXA6sf2t2gGm21HyqLe2Bp 7 0.03328335\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 20 of 22\n\n1BK8sQVskVTrC917QeaZRpUvU7z1tuCHxc 6 0.00428663\r\n16ZWUCzuhvYzpdYJRRKvsBAKmJgcgzpqyg 6 0.0397622\r\n14jk4w1RVV7D2JXEqCwUtMW2UTGoGbJu7N 4 0.01904673\r\n35Sb7nDbQFXndgZZu7zYaJbwEffVY8Z4cF 4 0.00328759\r\n1KXZqR1fjAxcv1gvdmPfN2WsWsDwM7r2R2 4 0.244389\r\n12ZcTiGZFWydqY4rDW6FbF1ArsBbdNaPxz 3 0.00673716\r\n1CNp1np9EVESWZ678tX6NPexCy7Cea3q9v 3 0.85662379\r\n19pnchunjYynzeiiu1ddwfzsHrjKcDxRvY 2 0.85007827\r\n1JWWZFUVAWvFNS2D5qwQQo4oSsseoD9kAn 2 0.04953613\r\n3EzR2S3wTiiyokZE9bvY82FZiPA5m45SAC 2 0.00689627\r\n1Cnk3Dc2rdMGpXDjScy9BCza2MRXJygkp8 2 0.00239953\r\n1HewcqbrkXY5iqrDqjb4j4AHiaDeobpE6P 1 0.00030088\r\n1EThtvDy9FXXR4A9FtVyFJBJw7sdheBYqS 1 0.0122992\r\n3NNJW9YnKichMXTVgAhrsD65veUBCfGC9m 1 0.00033241\r\n36LdCfaxb7KpAC7EZ6pzy2eRMsHSZghHpM 1 0.00690512\r\n1MMic1zX21dwUEh7GQuBFhJmQPTbqGYdzM 1 0.00788566\r\nTotal 2326 38.40704253\r\nEthereum address\r\nETH\r\nTransactions\r\nTotal value\r\n(ETH)\r\n0xff8c5843e7abe2708037fc1acdca83b37466a299 50 16.17663323\r\n0xff0d45f3e2ec83de3b2e069300974732ba1c5d30 48 17.69280322\r\n0xab1b250d67d08bf73ac864ea57af8cf762a29649 46 27.87694116\r\n0xb6d8926bf0418de68a7544c717bbb4ea198769cc 38 5.298421864\r\n0x57af5e3e5d6cb0ca6f44d303328b4f68edaa9e39 33 8.74847878\r\n0x2f1a943e9a5c200bc685c0f0e30e8d617b75c9e6 31 8.881011306\r\n0xa557fe5c21325eb8f6c7d5f2004db988c8c8d8b5 16 3.704143229\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 21 of 22\n\n0xef9e3d8c52044d949c3008d34e32104a187bd46d 14 4.146620911\r\n0xd4f8dfd1cdba76e9ac6b3b31ef3c6c6c3d1ea1d0 10 0.814050284\r\n0xa5228127395263575a4b4f532e4f132b14599d24 8 0.134708954\r\n0x8b7f16faa3f835a0d3e7871a1359e45914d8c344 7 3.22462637\r\n0x05f916216cc4ba6ac89b8093d474e2a1e6121c63 7 0.575314034\r\n0x87f84b56fb061f51ca709f2ac3fc6e2d4b3b8f8f 6 4.22714208\r\n0x74e4195d16e8887ebe6d6abde1aa38bc91e69976 6 0.104948174\r\n0x373b9854c9e4511b920372f5495640cdc25d6832 5 0.28459803\r\n0x75861ac703aabf12e51b374543f51320eeccb91d 5 0.50729028\r\n0xa9b717e03cf8f2d792bff807588e50dcea9d0b1c 4 0.475362\r\n0x43e44151ad4d625d367376a6fd3ea44c82718777 4 7.32426232\r\n0xc4e6e206ddc7f83a78582fc4e5536a8ed395c5e1 4 0.194103764\r\n0x02c48a8716f4ed9784544fc7100abfb9febd1761 4 0.564922754\r\n0xac9a31bb9e9a3887ffc9513a93dd6da7ec648345 3 0.0574927\r\n0x887d27da0a963bdfbc503357f2dc9837eb2c9444 3 5.168551905\r\n0x869c893e84618da936274badf3d9e800d0572955 3 5.93558275\r\n0xea375afbda5e11af6f93932ef2dcde2cf38768dd 3 0.16124587\r\n0x4562b3eea33b3eb4ed2e08719a05421e06e452f4 2 5.096436059\r\n0xcfe425756103a113807985f4b9aa3cecf637e99a 2 0.243502265\r\n0xb2bfcee11601b6af7357a7a636b7af3240024568 1 4.652749775\r\n0x334bd517cf36ad075b0807903624139ce99e3921 1 1.0043\r\nTotal 364 133.2762441\r\nSource: https://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nhttps://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/"
	],
	"report_names": [
		"phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions"
	],
	"threat_actors": [],
	"ts_created_at": 1778121809,
	"ts_updated_at": 1778121850,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c9beee956049cfb79f1fd3eac93457dce58f6f3.pdf",
		"text": "https://archive.orkl.eu/3c9beee956049cfb79f1fd3eac93457dce58f6f3.txt",
		"img": "https://archive.orkl.eu/3c9beee956049cfb79f1fd3eac93457dce58f6f3.jpg"
	}
}