Η Check Point Research (CPR) its research department Check Point Software spotted a variation botnet who has stolen nearly half a million dollars worth of cryptocurrencies through a technique called "crypto clipping".
The new variant, called Twizt, a descendant of Phorpiex, steals cryptocurrencies during transactions, automatically replacing the recipient's address with that of the perpetrator.
Η CPR προειδοποιεί τους κατόχους κρυπτονομισμάτων να προσέχουν σε ποιον στέλνουν χρήματα, καθώς έχουν καταγραφεί 969 συναλλαγές υποκλοπής και η καταμέτρηση συνεχίζεται. Το Twizt μπορεί να λειτουργεί χωρίς ενεργούς διακομιστές C&C, το οποίο του επιτρέπει να παρακάμπτει τους μηχανισμούς security.
- In a period of 12 months, 3,64 were stolen Bitcoin 55,87 Etherand $ 55.000 in ERC20 Tokens.
- 26 ETH were stolenin one case
- The majority of the victims live in Ethiopia, Nigeria and India
Check Point Research (CPR) has identified a new variant of Phorpiex, a botnet known for sextortion and crypto-jacking. The new variant, called Twizt, operates without active command and control servers, meaning that every computers that infects can expand the botnet. CPR estimates that Twizt has stolen nearly half a million dollars worth of cryptocurrency. The news characteristics of Twizt have led CPR to believe that the botnet may become even more stable and therefore more dangerous.
How Twizt works
The Twizt utilizes a technique called “cryptoclipping", Which is the theft of cryptocurrencies during transactions through the use of malware that automatically replaces the wallet address intended with the perpetrator's wallet address. This results in the amounts going into the wrong hands.
The Victims
Over a period of one year, from November 2020 to November of 2021, The Phorpiexbotsstole 969 trades, stealing 3,64 Bitcoin 55,87 Etherand $ 55.000 in ERC20 Tokens. The value of the stolen goods at current prices is almost half a million dollars USA. Several times it Phorpiexmanaged to steal large amounts of transactions. The largest was 26 ETHamount for a transaction Ethereum.
Graph 1. Victims by spaceα
Commentary: Alexander Chailytko, Cyber Security Research & Innovation Manager at Check Point Software:
“Υπάρχουν τρεις βασικοί risks που ενέχει η νέα παραλλαγή του Phorpiex. First, the Twizt uses the model peer-to-peer and is able to receive commands and updates from thousands of other infected machines. One botnet peer-to-peer it is more difficult to destroy and shut down. That makes it Twizt more stable than previous versions of muzzle of Phorpiex.
Secondly, like the old versions Phorpiex, the Twizt is able to steal cryptocurrencies without any communication with C&C, therefore, it is easier to bypass security mechanisms such as firewalls, in order to do damage. Third, the Twiztsupports more than 30 different cryptocurrency wallets from different block chains, including the most important, such as Bitcoin, Ethereum, Dash, Monero.
This creates a huge range of attack, and virtually anyone using encryption could be affected. "I urge all cryptocurrency users to double-check the wallet addresses they copy and paste, as they could easily accidentally send their cryptocurrencies to the wrong hands."
Security tips
- Check the wallet address. When users copy and paste an address of one cryptowallet, must always double check that the original and the pasted address are the same.
- Try the transactions. Before sending large amounts of cryptocurrencies, a trial transaction with a minimum amount needs to be done first.
- Stay informed. The operating system must be up to date and not download software from unverified sources.
- Skip the ads. When searching for wallets or cryptocurrency trading platforms, they should always choose the first site in the search and not the ads. These can be misleading as well CPR has found many prices on google, which aim to extract money.
- Observe the addresses URL. They should always double check the addresses URL!
