Summary: A threat actor has announced the sale of the source code for the Trik botnet, also known as Phorpiex, raising alarms among cybersecurity experts due to its advanced capabilities and persistence. This C++ botnet includes various malicious modules, making it a significant threat to digital security.
Threat Actor: Unknown | ThreatMon
Victim: Organizations and individuals | cybersecurity organizations
Key Point :
- The Trik botnet operates without a control panel, enhancing its stealth and persistence.
- It includes modules like a crypto clipper, USB emitter, and PE infector, targeting cryptocurrency wallets and spreading infections through USB drives.
- Its self-protection mechanism ensures it remains undetectable by most antivirus software, complicating detection and removal efforts.
- The announcement of the source code sale highlights the need for heightened cybersecurity measures among individuals and organizations.
A threat actor has claimed to have put the source code for sale for the notorious Trik botnet, also known as Phorpiex, in antivirus (AV) circles. This C++ botnet has a suite of modules that make it a formidable threat to cybersecurity.
The sale was announced on social media by ThreatMon, raising concerns among cybersecurity experts and organizations worldwide.
/* custom css */
.tdi_2.td-a-rec{
text-align: center;
}.tdi_2 .td-element-style{
z-index: -1;
}.tdi_2.td-a-rec-img{
text-align: left;
}.tdi_2.td-a-rec-img img{
margin: 0 auto 0 0;
}@media (max-width: 767px) {
.tdi_2.td-a-rec-img {
text-align: center;
}
}
Main Functions of the Bot
The Trik botnet is a persistent HTTP loader with several malicious capabilities. Unlike many other botnets, it does not require a control panel, making it more difficult to detect and dismantle.
The botnet includes a crypto clipper, a USB emitter, and a PE infector designed to target various cryptocurrency wallets.
One of its most concerning features is its ability to protect itself from detection by most antivirus software, ensuring it remains fully undetectable (FUD).
Every 30 minutes, the loader checks files on the server, decrypting and running them only if the signature is correct. This mechanism ensures that only authorized files are executed, adding another layer of complexity to its detection and removal.
The PE infector works with x86 and x64 PE executables, spreading the infection by embedding the downloader shellcode into these files.
Modules and Additional Threats
The Trik botnet also includes several modules that enhance its malicious capabilities. One such module is the VNC bruteforcer, which scans generated IPs for open VNC ports (5900) and attempts to gain access using encoded credentials.
This module can potentially allow attackers to gain unauthorized access to remote systems, posing significant risks to individuals and organizations.
Another module, the USB emitter, creates a link on USB drives with its icon, along with a hidden folder containing all user items. This feature can spread the infection to any system the USB drive is connected to, further propagating the botnet.
The sale of the Trik botnet source code is a stark reminder of the evolving threats in the cybersecurity landscape. With its advanced capabilities and modules, this botnet poses a significant risk to digital security.
Organizations and individuals are urged to stay vigilant and enhance their cybersecurity measures to protect against such sophisticated threats.
Source: https://cybersecuritynews.com/beware-of-trik-loader-botnet