Posted on January 24, 2020 at 4:17 PM

Hackers Infecting PCs and Telling Users to Install Antivirus

Malware analysts are reporting that someone has hijacked the Phorpiex botnet and is contacting users. Telling them they’ve been infected by a virus.

But it turned out that the sabotage of the Phorpiex operations was actually happening in the real world on customer system and not simply a virtual machine popup.  Check Point’s Cyber Research, Yaniv Balmas, said this is actually happening, as he pointed out that they are closely observing the situation. He stated that the activities of the malware group began a few hours ago.

Balmas gave several reasons why this was happening. He mentioned some scenarios, such as a rival malware sabotaging the Phorpiex, a vigilante researcher trying to resolve the situation by themselves, a law enforcement action, or the malware operators quitting and shutting down operations by themselves.

Hijack the most probable cause

According to Balmas, the most likely cause could be due to a hijack, if records from the Phorpiex developer are something to base on. Another malware analyst suggested the same scenario

The Phorpiex developer has strong competition in the botnet game, so it wouldn’t surprise anyone if they try to cause problems for him. According to the second analyst, who refused to give his name, the reason for the sabotage could be because of jealousy or something similar because of the success of Phorpiex.

However, the analyst said the Phorpiex developer is careless and extremely lazy. According to him, anyone could possibly hijack the botnet because of its simplistic IRC-based command and control system.

Some botnet affected by a data breach in 2018

According to confirmed research, Phorpiex malware has been operational for more than 10 years. But it has suffered a series of attacks within this period. Most of the breaches were a result of the developer’s carelessness and lack of seriousness to protect its system from attack.

Two years ago, the developer was careless to keep the command and control backend of the Botnet exposed online. But security experts were able to recover about 4.3 million email addresses before the Phorpiex group could infiltrate using spam emails.

When it comes to spam botnets, Phorpiex is one of the most active. The Phorpiex syndicate carries out its activities by infiltrating windows computers taking the systems are spam bots to release enormous spam emails.

The spam emails infect new computers with Phorpiex, which keeps the spam botnet alive. However, they equally release custom spam messages for other cybercrime syndicates, which is how the crew makes money from their campaign.

The future operations and profits of the Phorpiex are under threat with the activities of the group that hijacked the botnet.

For an estimate of the amount the Phorpiex group lost, CheckPoint revealed that the botnet received about $115,000 within five months. This revenue is coming only from the mass spamming using the extortion emails.

Emails are drawn from different locations and domains

The 4.3 million leaked from command and control server was reported by Vertek Corporation, a threat intelligence analysis.

The security team was investigating a malware activity that distributes a version of the Trik Trojan. The research team found out that the GanCrab and Trik trojan usually download malicious files which infiltrated users’ system via an online server coming from IP address.

The researcher reported that the group that orchestrated the malware activity reconfigured its sever and allowed unauthorized access to anyone online with an IP address. He found out about 2201 test files from a server that contains about 20 million email addresses each.

The researcher told Bleeping Computer that the group behind this operation misconfigured its server and left its content accessible to anyone accessing the IP directly.

The researcher feels that the server operators have been utilizing the recipients’ lists to provide information and data to other cybercriminals.

According to the researcher, the data list was pulled to validate that they are legitimate and unique. The researchers are now collaborating with Troy Hunt, an Australian security researcher, to find out how many of the mails have been exposed and how many are open to attack.

 The email addresses were not drawn from a particular location. They were about 4.5 million addresses collected from everywhere and from different IP addresses. The email addresses were also from different domains from .com to .gov, and other domains from private businesses.