.png){kind=logo}
Twitz in the Phorpiex Botnet: New Variant of Cryptocurrency Attacks in 2021
Twtiz is seeking weak links in the cryptocurrency market for new victims
Phorpiex botnet recently came up with a new variant of cryptocurrency attack in the form of Twitz. Phorpiex is known as an old threat that cybercriminals use through sextortion spam campaigns, crypto-jacking, cryptocurrency clipping, and many more. Now, Twitz helped cybercriminals to steal millions of dollars of cryptocurrencies from the cryptocurrency market. Let's dig deep into how cybercriminals are leveraging the new Twitz in the cryptocurrency market.
Twitz helps to allow the Phorpiex botnet to operate successfully without any need for active C&C servers. Crypto-clippers from Phorpiex are known for supporting over thirty digital wallets for multiple blockchains such as Bitcoin, Ethereum, Monero, Dogecoin, and many more. In 2021, Phorpiex botnet has hijacked 969 transactions and stole 55.87 Ether, 3.64 Bitcoin as well as US$55,000 in ERC20 tokens. The total hijacking is worth half a million US dollars in the cryptocurrency market. This new variant of cryptocurrency attack was found in 96 countries while the main victims stay in India, Nigeria, and Ethiopia.
Crypto-clipping is a process of stealing cryptocurrency in a transaction by replacing the address of an original digital wallet with the cybercriminal's digital wallet address in the clipboard. Victims of this new variant of cryptocurrency attack unknowingly copy-paste the fake address from the clipboard and make a way for them to steal the money. There has been an increase in crypto-clipping and the consequence leads to a massive risk of financial loss in the cryptocurrency market.
Twitz is named after the mutex used by the first bot that appeared a while ago. The new Phorpiex botnet does not execute if there is a default locale abbreviation of a user is UKR for Ukraine. It uses SSDP to explore and discover gateway devices in the local network of the targeted computer system. It is known for communicating with its own binary protocol over TCP or UDP to connect to the C&C server as well as other defective machines.
