Check Point Research has found new cryptocurrency-related assaults in Ethiopia, Nigeria, India, and 93 other countries. The attackers are employing a variation of the Phorpiex botnet known as "Twizt" by Check Point to steal cryptocurrency through a technique known as "crypto clipping." Because wallet addresses are so long, most systems copy them and allow you to just paste them in during transactions. Cybercriminals have used Twizt to replace the intended wallet address with the wallet address of the threat actor.
Phorpiex, a long-lasting botnet known for extortion tactics and the use of old-school worms delivered via removable USB drives and instant messaging apps, began broadening its infrastructure in recent years in order to become more durable and deliver more hazardous payloads. The Phorphiex botnet is still active today, with a massive network of bots generating a wide range of malicious activities. These operations, which previously comprised extortion and spamming, have grown to encompass cryptocurrency mining. Researchers also saw a surge in data exfiltration and ransomware delivery in 2018, with the bot installer releasing Avaddon, Knot, BitRansomware (DSoftCrypt/ReadMe), Nemty, GandCrab, and Pony ransomware, among other malware.
Check Point researchers reported intercepting 969 transactions, stating that Twizt "can operate without active command and control servers, enabling it to bypass security systems," implying that each computer infected can expand the botnet.
Twizt operators have stolen 3.64 Bitcoin, 55.87 Ether, and $55,000 in ERC20 tokens in the last year, totaling around $500,000. 26 ETG were stolen in one incident alone. Phorpiex bots hijacked over 3,000 transactions worth nearly 38 Bitcoin and 133 Ether between April 2016 and November 2021. The cybersecurity firm stated that this was merely a subset of the attacks that were taking place.
According to Alexander Chailytko, cybersecurity research and innovation manager at Check Point Software, the new variant of Phorpiex poses two major concerns. "First, Tiwzt is able to operate without any communication with C&C; therefore, it is easier to evade security mechanisms, such as firewalls, in order to do damage. Second, Twizt supports more than 30 different cryptocurrency wallets from different blockchains, including major ones such as Bitcoin, Ethereum, Dash, Monero," Chailytko said.
"This makes for a huge attack surface, and basically anyone who is utilizing crypto could be affected. I strongly urge all cryptocurrency users to double-check the wallet addresses they copy and paste, as you could very well be inadvertently sending your crypto into the wrong hands," Chailytko added.