Someone is uninstalling the Phorpiex malware from infected PCs and telling users to install an antivirus

phorpiex-malware-uninstall.jpg
Image: Check Point

A mysterious entity appears to have hijacked the backend infrastructure of the Phorpiex (Trik) botnet and is uninstalling the spam-bot malware from infected hosts, while also showing a popup telling users to install an antivirus and update their computers, ZDNet has learned.

The popups have started appearing on users’ screens today, early morming, US Eastern time, and have been spotted by the research team at antivirus vendor Check Point.

Initially, ZDNet and others thought this was a prank coded inside the malware by the Phorpiex team for the purpose of trolling security researchers analyzing the malware.

However, as the hours passed, it became clear that this was actually taking place on customer systems, in the real world, and was not just a popup that was appearing in virtual machines used as malware analysis sandboxes.

“This is truly happening,” Yaniv Balmas, Head of Cyber Research at Check Point, told ZDNet. “We are closely monitoring this malware family and have noticed this behavior started just a few hours ago.”

Balmas listed several theories as what could have happened — such as the malware operators deciding to quit and shut down the botnet on their own terms, a law enforcement action, a vigilante security researcher taking matters into his own hands, or a rival malware gang sabotaging the Phorpiex crew by destroying their botnet.

Most likely a hijack

“Hijack seems likely based on the track record for the Phorpiex developer,” said a second malware analyst, who declined to have his name used in this article because he was not authorized to speak in his company’s name — another antivirus vendor.

“The Phorpiex developer has some pretty nasty rivals in the botnet game so it wouldn’t surprise me if this is an attack motivated by jealousy or something along those lines,” he added.

“The developer for the Phorpiex botnet is extremely lazy and careless,” the malware analyst said, claiming that he could have also hijacked the botnet in the past due to its simplistic IRC-based command and control mechanism.

Same botnet suffered a data breach in 2018

The Phorpiex malware, which has been active for more than a decade, has suffered security breaches in the past, also due to the malware developer’s carelessness.

In 2018, the Phorpiex developer left one of the botnet’s command and control backend servers exposed online, and security researchers were able to retrieve a list of 43.5 million email addresses that the Phorpiex crew was targeting with spam campaigns.

Phorpiex is one of today’s most active spam botnets. The Phorpiex team operates by infecting Windows computers and using these systems as spam bots to send out massive spam campaigns.

These spam campaigns keep the spam botnet alive, by infecting new PCs with Phorpiex, but they also send out custom spam campaigns on behalf of other cybercrime groups — the method through which the Phorpiex crew makes its money.

Whoever hijacked the botnet today and instructed bots to uninstall themselves has put a serious dent in the Phorpiex gang’s future profits and operations. To give an idea about the size of the profits the Phorpiex crew lost, Check Point previously reported that the same botnet made $115,000 in five months just from mass-spamming sextortion emails.

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Millions in Cryptocurrency Stolen by Scammers in the Last Month According to Tenable Research
November 24, 2021
Behind The Scenes: How this Crypto Community Responded to + $50m Hack
October 18, 2021
Crypto Scams
Crypto Scams Still Persistent In 2021, SEC Warns About Red Flags To Watch
September 9, 2021
Poly Network
Here’s How Hackers Stole Over $600 million in the Poly Network Attack
August 12, 2021
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021

Blockchain/Cryptocurrency Questions and Answers

GamStop
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
Cryptocurrency
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
Ethereum
The Unconventional Guide to Ethereum
October 28, 2021
ICo Presale
The Science Behind ICO Presales…
October 14, 2021


CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin33,408 0.48 % 7.18 % 22.52 %
Ethereum2,204.5 0.71 % 12.27 % 34.32 %
Tether0.9992 0.46 % 0.43 % 0.11 %
Binance Coin341.63 0.75 % 11.13 % 31.48 %
USD Coin0.9957 0.04 % 0.35 % 0.41 %
Cardano0.9665 0.31 % 14.15 % 31.42 %
XRP0.5638 0.37 % 9.66 % 27.67 %
Solana82.79 1.65 % 19.06 % 44.04 %
Terra60.60 1.57 % 12.13 % 30.35 %
Polkadot16.17 0.64 % 13.73 % 41.69 %

bitcoin
Bitcoin (BTC) $ 33,650.00
ethereum
Ethereum (ETH) $ 2,217.27
tether
Tether (USDT) $ 1.00
binance-coin
Binance Coin (BNB) $ 342.66
usd-coin
USD Coin (USDC) $ 1.00
cardano
Cardano (ADA) $ 0.971255
xrp
XRP (XRP) $ 0.567745
solana
Solana (SOL) $ 82.92
terra-luna
Terra (LUNA) $ 60.85
polkadot
Polkadot (DOT) $ 16.26