A mysterious entity appears to have seized on the Phorpiex botnet infrastructure and removes malicious spyware from infected hosts, while displaying a popup prompting users to install an antivirus and update their computers.
The popups began appearing on user screens this morning and were identified by the Check Point research team.
Initially, many analysts thought that this was a hoax embedded in the malware by the Phorpiex team in order to fool the security researchers analyzing the malware.
However, as time went on, it became clear that this was actually the case for client systems and not just a pop-up window that appeared on virtual machines used as sandboxes for malware analysis.
"It's a real thing," said Yaniv Balmas, chief of Cyber Research at Check Point. "We are closely monitoring this group of malware and we noticed that this behavior started only a few hours ago."
Balmas has cited several theories about what is happening - such as the possibility that malware operators have decided to stop and close the botnet on their own terms, or that this is due to a law enforcement action, or that a researcher security took matters into its own hands or a malware opponent wanted to undermine Phorpiex's team by destroying the botnet.
Big possibility hijack
"The possibility of a hijack seems likely, if we rely on the recording of Phorpiex hacker's movements," said the second malware analyst, who declined to use his name in this article because he was not authorized to speak on the matter by his company.
"Phorpiex has some tough opponents in the botnet game, so I wouldn't be surprised if it was a jealous attack or something like that," he added.
"The Phorpiex botnet hacker is extremely lazy and careless," said the malware analyst, claiming he could have accessed the botnet in the past because of the IRC-based simplified command and control mechanism.
The same botnet suffered data breach in 2018
Phorpiex's malware, which has been active for more than a decade, has been subject to security breaches in the past due to the carelessness of the malware developer.
In 2018, the developer of the Phorpiex botnet left one of the command and control servers exposed to the internet, and security investigators were able to retrieve a list of 43,5 million email addresses targeted by the Phorpiex crew with junk mail campaigns.
Phorpiex is one of the most active spam botnets today. The Phorpiex team works by infecting Windows computers and using them as a spam bot to launch massive junk mail campaigns.
These spam campaigns keep the spam botnet alive by infecting new computers with Phorpiex, but they also send customized spam campaigns on behalf of other cybercrime - and this is the way Phorpie uses money.
Whoever started the botnet hijack today and ordered the bots to be uninstalled did a major blow to the future profits and activities of the Phorpiex gang. To give you an idea of the magnitude of the profits that the Phorpiex team lost, Check Point reported that the same botnet made $ 115.000 in just five months from spam emails.