Phorpiex Botnet

Phorpiex Botnet is a network of infected computers that helps the cybercriminals behind it perform cyberattacks on a larger scale. Our team has found that the botnet is associated with various infections that are implemented in attacks. Perhaps the most prominent of them is the Tldr malware downloader whose main purpose is to continue making the botnet bigger. It was also found that this downloader can work both as a worm and a virus, which means that it can spread via removable devices that might be connected to the infected computer, and it also can infect other installed software and files. It appears that the attackers behind the botnet are mainly focused on making money, which is not surprising at all. However, it can also load info-stealer malware, which could be used to obtain sensitive information in more ways than one. Undoubtedly, it is important to remove Phorpiex Botnet components, regardless of how many of them might exist.

Also known as Worm.Phorpiex, the botnet has a wide cast net. While the servers linked to this botnet can be found pretty much around the world (except for Europe), its most significant ones are located in India, China, Thailand, and Pakistan. By the end of 2019, at least one million computers were infected and connected to the botnet, and in the past, it was well-known for loading GandCrab Ransomware. One of the distributors of this malware was caught in August, but it does not look like he could be linked to the Phorpiex Botnet. The botnet has not been distributing this ransomware for a while now anyway. This is not the only campaign that has been abandoned since. In 2019, Phorpiex Botnet was also heavily involved in sextortion spam attacks, but they have been halted too. The spam emails were sent with such statements as “I recorded you,” “I know one of your passwords,” and “The only way to stop me, is to pay exactly 800$ in bitcoin (BTC).” Once these emails stopped flooding, the botnet seemed to focus on cryptocurrency-jacking and cryptocurrency-clipping campaigns.

According to research, cryptocurrency-jacking and cryptocurrency-clipping were some of the ways that the creator of Phorpiex Botnet preferred to make money at one point. Cryptocurrency-jacking is the type of activity, during which an infected computer is used to mine for cryptocurrency without permission. It appears that the attackers heavily relied upon XMRig for mining, and they collected their rewards in Monero. While this kind of activity does not necessarily harm victims personally, it can exhaust systems’ resources making it harder for someone to operate them. Cryptocurrency-clipping is the kind of activity, during which malware waits for the victim to copy a cryptocurrency wallet address. Once it is in the clipboard, they immediately replace it with the address to the attackers’ wallet. Phorpiex Botnet was also found making money by loading third-party malware, such as the Raccoon Stealer and Predator the Thief, which can be used to steal sensitive information (e.g., credentials, banking information). In the future, those controlling the botnet might move on to new methods of monetization, and new modules could be included to assist. The botnet could also be used to spread new kinds of malware. Due to this, it is quite unpredictable and, therefore, incredibly dangerous.

It appears that Phorpiex Botnet relies heavily on exploit kits and other malicious threats for successful distribution. An exploit kit is a tool that allows cybercriminals to exploit vulnerabilities and use them to distribute malware. Third-party malicious threats – such as malware downloaders – can be spread in other ways too. For example, they could hide within spam emails or even software bundles. Therefore, it is not enough to patch one thing at a time. The entire operating system needs to be protected against all kinds of virtual menaces. That might be easier said than done. However, if a system has comprehensive anti-malware protection, if its users are cautious about their own activity, and if all security updates are implemented quickly to ensure that vulnerabilities are patched, the risk of having the system infected and then connected to the botnet should be minimized greatly. Needless to say, deleting Phorpiex Botnet components is not a straightforward task. The manual removal might require different approaches for the different modules and threats. Due to this, anti-malware software that can delete all threats automatically and simultaneously is the most helpful.

Phorpiex Botnet Removal

1. Launch File Explorer by tapping Win+E keys.
2. Enter %WINDIR% into the field at the top and tap Enter.
3. Delete the folder named M-50505027509265824650265020 with winmgr.exe inside.
4. Launch Run by tapping Win+R keys.
5. Type regedit into the dialog box and click OK to launch Registry Editor.
6. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
7. Delete the value named Microsoft Windows Manager.
8. Go to HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run.
9. Delete the value named Microsoft Windows Manager.
10. Exit both Registry Editor and File Explorer and then Empty Recycle Bin.
11. Install a genuine malware scanner to assist you in scanning your system for other threats.