Phorpiex Botnet Back Into Action - Attacks Surge Drastically

The Phorpiex botnet, also known as Trik, has been active for almost a decade now and during the month of June, the number of its malicious activities has increased significantly as compared to May 2020.

Phorpiex gets together with the Avaddon

Check Point researchers found a new malspam campaign leveraging the Phorpiex botnet to infect targeted devices with the Avaddon ransomware.
  • The malware has doubled its number of attacks on organizations worldwide between May and June, and the total number of affected devices could be much larger in 2020. Almost 2% of global organizations were targeted by this botnet, making it the second most active malware.
  • The latest malspam messages distributed via Phorpiex lures recipients into opening a Zip file attachment that uses a wink emoji as the email subject.
  • Clicking on the file will activate the Avaddon ransomware, scrambling data on the computer, and demanding a ransom in return for file decryption.

Recent trends

Check Point researchers revealed the common trends with the cyber threats targeting organizations in the Global Threat Index.
  • Agent Tesla RAT, which targeted 3% of global organizations, has moved to 1st rank from 2nd place in May 2020. The second place was taken by Avaddon malware, while the XMRig crypto miner, active since May 2017, remained in 3rd place for the consecutive second month. The list also included known malware names such as Dridex, Trickbot, Ramnit, and Emotet.
  • The researchers also warned about the most commonly exploited vulnerabilities - “OpenSSL TLS DTLS Heartbeat Information Disclosure”, “MVPower DVR Remote Code Execution”, and “Web Server Exposed Git Repository Information Disclosure” respectively targeting 45%, 44% and 38% of organizations globally.

Safety tips

Organizations should educate their staff about how to identify the different kinds of malspam that carry such threats like Phorpiex, with attachments or malicious links. Deploy email security mechanisms like DMARC, which actively prevents them from infecting their networks.