Search This Blog

Showing posts with label C&C. Show all posts

Phorpiex Malware has Shut Down their Botnet and Put its Source Code for Sale

 

The Phorpiex malware's creators have shut down their botnet and are selling the source code on a dark web cybercrime forum. The ad states that none of the malware's two original authors are participating in maintaining the botnet, which is why they opted to sell its source code. It was posted on 27th August by an individual previously associated with the botnet's operation. 

Phorpiex, a long-running botnet notorious for extortion schemes and old-school worms delivered via removable USB drives and instant messaging programmes, has been broadening its architecture in recent years in order to become more durable and deliver more deadly payloads. 

These operations had extended to encompass bitcoin mining, which had previously included extortion and spamming. Researchers have noticed an upsurge in data exfiltration and ransomware delivery since 2018, with the bot installer releasing malware such as Avaddon, Knot, BitRansomware (DSoftCrypt/ReadMe), Nemty, GandCrab, and Pony, among others. 

“As I no longer work and my friend has left the biz, I’m here to offer Trik (name from coder) / Phorpiex (name fomr AV firms) source for sell [sic],” the individual said on Friday in a forum post spotted by British security firm Cyjax. 

The ad's legitimacy was confirmed by Alexey Bukhteyev, a malware reverse engineer for security firm Check Point. “The description of the malware is very similar to what we saw in the code,” Bukhteyev said. The malware's command and control (C&C) servers have been inactive for approximately two months, according to the researcher, who previously researched the Phorpiex virus in 2019. 

The last command the bot received from the Phorpiex C&C servers was on July 6, 2021, according to Bukhteyev, who has been running a phoney Phorpiex bot in order to spy on its operations. The command was a self-explanatory "SelfDeletion" instruction. The botnet appears to have vanished from open-source reports since then. 

"As we know, the source code is private and hasn’t been sold before. Therefore, this [forum ad] looks really believable,” Bukhteyev said. “However, we can be totally sure if we buy it. The binaries are quite straightforward, and we can easily confirm that the source code is for this bot indeed, if we get it."

Even if the botnet C&C servers are down, Bukhteyev warns that if someone buys the code, they can set up new ones and hijack all the already infected systems.

Malicious Operations Hide Under The Google Chrome Sync Feature

 

Lately, the threat actors have detected a technique where they can use the sync feature of Google Chrome to transmit commands and steal data from infected systems, circumvent conventional firewalls and other network protections to infected browsers. Chrome sync is a Chrome browser feature that stores copies of a Chrome user's bookmarks, browsing history, browser passwords, and extension settings on Google's cloud servers. This function is used to synchronize the aforementioned data with various devices of a user so that the user still has access to his new Chrome information everywhere. 

On Thursday 4th of January, Bojan Zdrnja, a Croatian security researcher, shared his discovery, wherein a malicious Chrome extension exploited the Chrome sync as a way to connect with a remote command and control (C&C) server and to exfiltrate the details from compromised browsers during the latest incident reaction. 

In addition, Zdrnja added that the attackers had gotten access to a victim's device during the incident he investigated, however, because the data they tried to steal was inside the worker's portal, therefore they downloaded Chrome extension on the user’s system and loaded it in Developer's Mode. It included malicious code that abused Chrome's synchronized functionality to allow attackers to monitor the infected browser, which was used as a security add-on by security company Forcepoint. 

Zdrnja claimed that the purpose of this unique attack was to use the extension to "manipulate data in an internal web application that the victim had access to." 

"While they also wanted to extend their access, they actually limited activities on this workstation to those related to web applications, which explains why they dropped only the malicious Chrome extension, and not any other binaries," Zdrnja stated in a report. 

"In order to set, read or delete these keys, all the attacker has to do is log in with the same account to Google, in another Chrome browser (and this can be a throwaway account), and they can communicate with the Chrome browser in the victim's network by abusing Google's infrastructure," he added, wherein data stored in the key field could be anything. For instance, data obtained from the infected browser may be malicious extensions or commands the attacker desires to run the extension at an infected workstation (for example, usernames, passwords, cryptographic keys, or more).

Although the stolen content or corresponding commands are transmitted via Chrome's infrastructure, no process can be inspected or blocked in the majority of corporate networks, which are normally authorized to run and transfer data unimpeded by the Chrome browser. 

The researcher recommended businesses to use Chrome company and community decision assistance to block and monitor the plugins that could be installed on a browser, prohibiting rogue extensions, such as the one he investigated, from being installed.