New Jersey’s Cybersecurity and Communications Integration Cell (NJCCIC)\u00a0reported that since April, threat actors used the the Phorpiex botnet<\/a> to send millions of phishing emails as part of a LockBit Black ransomware<\/a> campaign.<\/p>\n\n\n\n
The botnet has been active since at least 2016, it was involved in\u00a0sextortion spam campaigns<\/a>, crypto-jacking, cryptocurrency clipping (substituting the original wallet address saved in the clipboard with the attacker\u2019s wallet address during a transaction) and ransomware attacks in the past<\/p>\n\n\n\n
In August 2021 the criminal organization behind the\u00a0Phorpiex botnet<\/a>\u00a0have shut down their operations<\/a>\u00a0and put the source code of the bot for sale on a cybercrime forum in on a\u00a0dark web<\/a>.<\/p>\n\n\n\n
The\u00a0new variant, dubbed \u201cTwizt,\u201d could operate without active C2 servers\u00a0in\u00a0peer-to-peer<\/a>\u00a0mode. Each of the infected computers can act as a server and send commands to other bots in a chain. Experts estimated that in one year it allowed to steal crypto assets worth of 500,000 dollars.
“Observed instances associated with this campaign were accompanied by the\u00a0Phorpiex\u00a0<\/a>(Trik) botnet, which delivered the ransomware payload. Over 1,500 unique sending IP addresses were identified, many of which were geolocated to Kazakhstan, Uzbekistan, Iran, Russia, China, and other countries.” states the report<\/strong><\/a> published by the NJCCIC. “Identified IPs hosting LockBit executables were 193[.]233[.]132[.]177 and 185[.]215[.]113[.]66. Subject lines included \u201cyour document\u201d and \u201cphoto of you???\u201d. All associated emails were blocked or quarantined.”<\/em>
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, Phorpiex botnet)<\/strong>