The Phorpeix botnet has returned with a vengeance

by Radu Tyrsina
Radu Tyrsina
Radu Tyrsina
CEO & Founder
Radu Tyrsina has been a Windows fan ever since he got his first PC, a Pentium III (a monster at that time). For most of the kids of... read more
Affiliate Disclosure
  • The Microsoft security team is currently investigating the infamous Phorpiex botnet.
  • This malicious software is known to spread the Avaddon ransomware on user's PCs.
  • Phorpiex bot disables the Microsoft Defender antivirus in order to conduct the attack.
  • Users can stay protected by not downloading unsafe content and limiting PC access.
Microsoft investigates Phorpiex malware bot

In an ever-changing online environment, keeping track and dealing with ransomware-spreading malware has always proved to be a daunting task.

Security teams everywhere are scrambling to meet these new threats head-on, but the complexity and stubbornness of some malicious software may sometimes make these efforts seem futile.

A new variation of the botnet is causing trouble online

Back in September, when Phorpiex was still causing mayhem, it was distributing a new malware variant called Twizt, one that allows the botnet to operate without centralized command and control servers.  

The new and improved Twizt Phorpiex variant has a peer-to-peer command and control system that allows the various infected devices to relay commands to each other if the static command and control servers were offline.

This means that each of the infected computers can act as a server and send commands to other bots in a chain.

Also worth noting is that the latest P2P infrastructure also allows the operators to change the IP address of the main C2 servers as necessary while remaining hidden within a swarm of infected Windows machines.

If you were also wondering about some of the new features that come with this new Twizt variant, it has a peer-to-peer operation mode (no C2), and a data integrity verification system.

Also included is a custom binary protocol (TCP or UDP) with two layers of RC4 encryption.

Furthermore, Twizt can also download additional payloads through a list of hard-coded base URLs and paths or after receiving the corresponding command from the C2 server.

Phorpiex botnet is under Microsoft’s security surveillance

Microsoft is currently conducting an ample investigation against this malware botnet.

Even though this malicious software has been plaguing the internet for quite some time, the security team is uncovering new details on its spreading technique and operating methods.

The Phorpiex botnet is used to deliver ransomware, spam emails, Microsoft says.

This botnet’s targeting for bot distribution and installation also expanded, as more recent activity shows a shift to a more global distribution. Statistics confirm Phorpiex to now be present in over 160 countries.

One of the main reasons why Microsoft is taking an interest in Phorpiex, is because the bot disables the Microsoft Defender antivirus, in order to maintain persistence on the targeted devices.  

This includes modifying registry keys to disable firewall and antivirus popups or functionality, overriding proxy and browser settings, setting the loader and executables to run at startup, and adding these executables to the authorized application lists.

Why is Phorpiex so dangerous?

The Phorpiex botnet is known to have been used in order to distribute malware payloads such as GandCrab and Avaddon ransomware, or for sextortion scams.

According to Microsoft, the Avaddon ransomware is capable of performing language and regional checks for Russia or Ukraine before running, to ensure only favored regions are targeted.

Apparently, Avaddon generally makes ransom demands of around $700 worth of Bitcoin. That’s a hefty price to pay just because you haven’t protected your computer,

How can I protect myself against Phorpiex?

The first and most important piece of advice would be to not download unsafe content or apps that were not developed by a trustworthy company.

You can also keep yourself safe by limiting the people who have access to your computer and sensitive information.

Another way you can prevent these attempts by enabling the tamper protection in Microsoft Defender for Endpoint, which is Microsoft’s cloud-based advanced security feature.

This option will automatically revert all the changes that the bot constantly tries to perform on your machine.

What other steps are you taking in order to avoid becoming a victim of ransomware attacks? Tell us about your experience in the comments section below.  

This article covers:Topics: