Phorpiex Malware

Phorpiex is a botnet malware and one of the leading malware threats of 2021. The Phorpiex botnet is well-established and used for a variety of purposes, including spam email mailing, malware delivery, and cryptomining.

Read the Security Report Request a Demo

Bot Distribution and Installation

A Phorpiex malware infection begins with the delivery of a dropper. This dropper is distributed to systems via various methods, including:

  • Infected USB drives
  • Phishing via instant messaging
  • Dropped by malware, freeware, and unwanted programs
  • Phishing emails
  • Downloads from sites claiming to deliver legitimate software
  • Incorporates worm modules for self-spreading

Once the dropper is installed and running on a system, it communicates with the Phorpiex command and control (C2) servers. These servers deliver the Phorpiex malware and additional uploads or modules that provide particular functionality. A new update in 2021 called Twizt enables the malware to operate in peer-to-peer (P2P) mode in the absence of active C2 servers.

The Main Ways the Botnet is Monetized

The Phorpiex botnet is primarily used as a means of generating revenue for its operators. Some of the ways in which the botnet’s reach is monetized include:

  • Extortion: The Phorpiex botnet has been used to perform sextortion scams. Infected systems send out spam emails that extort a ransom in exchange for not releasing compromising videos supposedly in the attackers’ possession.
  • Cryptojacking: Cryptojacking malware uses the computational power of infected computers to mine cryptocurrency on the attacker’s behalf. This enables an attacker to earn rewards for creating new blocks on Proof of Work blockchains without paying for the infrastructure and electricity.
  • Cryptocurrency Clipping: To transfer cryptocurrency on the blockchain, users need to input the destination address, which is a large value encoded in hexadecimal. These easily identifiable addresses are commonly copy-pasted using the system clipboard. Cryptocurrency clipper malware substitutes an attacker-controlled address for that of the intended target, redirecting the payments to the botnet operator.
  • Malware Delivery: The Phorpiex botnet has been used to deliver a wide range of malware to infected systems. This enables the botnet operators to monetize the reach of Phorpiex by selling access to compromised systems.
  • Ransomware Attacks: In addition to delivering other cyber threat actors’ malware, the Phorpiex botnet has also been used to launch ransomware attacks. This enables the botnet operator to make money by extorting ransoms to restore access to encrypted data.
  • Data Theft: Phorpiex is increasingly stealing and exfiltrating data from infected computers. This information could be used to gain access to other systems and online accounts or to enable fraud or follow-on attacks.

The Uses of Phorpiex

Phorpiex is a large, well-established botnet. As a result, it is used for a few different purposes, including delivering malware and sending spam emails.

Malware Delivery Botnet

The Phorpiex botnet has been used to deliver a variety of different malware variants. Some of the types of malware delivered by the botnet include:

  • Ransomware
  • Cryptomining
  • Spambots
  • Infostealers

This ability to deliver additional malware makes the Phorpiex a significant, dangerous threat. Once the botnet has a foothold on an infected computer, multiple attackers may be provided with access to the system, and it may be infected with various types of malware.

Mailing Botnet

The other primary use of the Phorpiex botnet is as a mailer. Phorpiex has been known to send a variety of spam emails, including:

  • Extortion and sextortion
  • Malware delivery
  • Phishing

How to Protect Against Phorpiex Malware

The Phorpiex malware can be delivered to a system via different means. Some security best practices that help to protect against Phorpiex infections include:

  • Email Scanning: Phorpiex malware can be delivered by phishing emails sent by infected members of the botnet. Email scanning solutions can identify and block these malicious emails from reaching their intended recipients.
  • Security Awareness Training: Malicious emails — including phishing, extortion, and spam emails — are a core component of the Phorpiex botnet’s revenue model. Training employees to identify and properly respond to these emails reduces the risk to the organization.
  • Secure Browsing: Phorpiex malware can be delivered via malicious downloads or bundled with legitimate software. Safe browsing solutions that block visits to malicious or suspicious sites and scan downloads can prevent Phorpiex downloads.
  • Endpoint Security: Phorpiex is a well-known malware variant that should be detected by an up-to-date endpoint security solution. These solutions can identify and prevent Phorpiex infections on a protected endpoint.
  • Network Traffic Analysis: Various activities by the malware can create unusual traffic patterns that may be detected via network traffic analysis.

Phorpiex Protection with Check Point

Phorpiex is a major malware variant, but companies face a wide range of other cyber threats as well. To learn more about the main cybersecurity threats that an organization faces, check out Check Point’s 2022 Cyber Security Report.

Check Point Harmony Endpoint provides protection against Phorpiex malware and other major threats to endpoint security, including zero-day threats. Learn more about Harmony Endpoint’s capabilities by signing up for a free demo.

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.