SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Cybersecurity
#
Check Point Software
#
Crypto Jacking
New botnet uncovered known for sextortion and crypto-jacking
Fri, 17th Dec 2021
FYI, this story is more than a year old
Author image
By Shannon Williams, Journalist
Follow us

Check Point Research is warning of a new variant of Phorpiex, a botnet known for sextortion and crypto-jacking.

CPR estimates the botnet has stolen nearly half a million dollars' worth of cryptocurrency through a technique known as “crypto clipping”. The new variant, called Twizt, operates without active command and control servers, meaning each computer that it infects can widen the botnet.

How Twizt Works

According to CPR, Twizt leverages a technique called “crypto clipping”, which is the theft of cryptocurrency during transactions through the use of malware that automatically substitutes the intended wallet address with the threat actor's wallet address, resulting in the funds entering the wrong hands.

Victims

In a one-year period, between November 2020 to November 2021, Phorpiex bots hijacked 969 transactions, stealing 3.64 Bitcoin, 55.87 Ether, and $55,000 in ERC20 tokens, with the stolen assets in current prices valuing to almost half a million US dollars. Several times, Phorpiex was able to hijack large amounts transactions. The largest amount for an intercepted Ethereum transaction was 26 ETH.

Alexander Chailytko, cyber security research - innovation manager at Check Point Software, says there are three main risks involved with the new variant of Phorpiex.

"First, Twizt uses peer-to-peer model and is able to receive commands and updates from thousands of other infected machines. A peer-to-peer botnet is harder to take down and disrupt its operation," Chailytko says.

"This makes Twizt more stable than previous versions of Phorpiex bots. Second, as well as old versions of Phorpiex, Twizt is able to steal crypto without any communication with C-C, therefore, it is easier to evade security mechanisms, such as firewalls in order to do damage," he says.

"Third, Twizt supports more than 30 different cryptocurrency wallets from different blockchains, including major ones such as Bitcoin, Ethereum, Dash, Monero."

Chailytko says this makes for a huge attack surface, and basically anyone who is utilising crypto could be affected.

"I strongly urge all crypto currency users to double check the wallet addresses they copy and paste, as you could very well be inadvertently sending your crypto into the wrong hands.

Security Tips

Check wallet address. When users copy and paste a crypto wallet address, always double check that the original and pasted addresses match.
Test transactions. Before sending large amounts in crypto, first send a probe “test” transaction with minimal amount.
Stay updated. Keep operating system updated, do not download software from unverified sources.
Skip the ads. If you are looking for wallets or crypto trading and swapping platforms in the crypto space, always look at the first website in your search and not in the ad. These may mislead you as CPR has found scammers using Google Ads to steal crypto wallets.
Look at URLs. Always double-check the URLs!

Related stories
Half of online traffic in 2024 generated by bots, report finds
Spirent partners with online payments platform to boost cyber defenses
Understanding the key to boosting cybersecurity habits: Kaspersky study
Axis unveils hybrid cloud platform for adaptable security solutions
Keeper Security launches user-friendly passphrase generator
Top stories
Fortinet recognised as Challenger in Gartner's 2024 Magic Quadrant for SSE
Coalition integrates cyber risk platform with top cloud services providers
i-PRO to support Genetec SaaS with new AI-enabled camera models
Illumio unveils AI enhancements for faster Zero Trust Segmentation adoption
RiverSafe teams up with Cribl to boost IT & data security services