Phorpiex botnet: All about the rapidly-spreading email-based malware campaign

Phorpiex botnet: All about the rapidly-spreading email-based malware campaign

Phorpiex botnet: The rapidly-spreading email-based malware campaign

In a warning to organisations worldwide, researchers at Check Point have detailed how cyber criminals are now using the ransomware-delivering Phorpiex botnet to conduct email-based malspam campaigns worldwide, impacting 2% of all organisations in June.

Malspam campaigns involving the use of the Phorpiex botnet have spread so far and wide in a spam of just a month that the botnet jumped to second place on Check Point’s Top Malware listing in June, up from 15th in May.

According to the security firm, while cyber criminals have so far been using the botnet to spread large-scale sextortion malspam campaigns, they are now leveraging the botnet to infect targeted devices with the Avaddon ransomware that is capable of scrambling data on a computer and demanding a ransom in return for file decryption.

In 2019 alone, over a million Phorpiex-infected Windows computers were discovered by researchers at Check Point and considering that the malware campaign has doubled its impact on organisations worldwide between May and June, the number of affected devices could be much larger this year.

“In the past Phorpiex, also known as Trik, was monetized by distributing other malware such as GandCrab, Pony or Pushdo, using its hosts to mine cryptocurrency, or for sextortion scams. It is now being used to spread a new ransomware campaign.

“Organisations should educate employees about how to identify the types of malspam that carry these threats, such as the latest campaign targeting users with emails containing a wink emoji, and ensuring they deploy security that actively prevents them from infecting their networks,” Check Point said in a blog post.

Malware attacks exploiting the weakest link in organisations’ security posture to infect devices

Commenting on the rapid rise in the use of the Phorpiex botnet to spread ransomware, Dan Panesar, director UK & Ireland at Securonix, told Teiss that educating users is one way to help stop these types of attacks but, as we too often see, users will always be the weakest link in any organisation’s security posture.

“Too often these type of malware and phishing attacks breach defences, so what organisations really need is the ability to proactively detect and respond to abnormal user behaviour in a fast and scalable way, thus removing the human element completely.

“Furthermore, as we see more advanced malware, it is critical to give security teams the visibility into the user behaviour to quickly spot what isn’t ‘normal’ and take steps to remediate this type of attack before it causes real harm to the organisation,” he adds.

According to Check Point, the only malware family that beat the Phorpiex botnet in June in terms of scale and destructiveness was Agent Tesla- an advanced Remote Access Trojan (RAT) that functions as a keylogger and information stealer.

“Agent Tesla is capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client),” the firm said.

ALSO READ: War against malware claims 100,000 malware distribution sites in 10 months

Copyright Lyonsdown Limited 2021

Top Articles

2,500 years of Threat Intelligence

In order for threat intelligence to deliver as promised, we need to heed Sun Tzu and start with a data-driven approach.

Don’t fall foul of homoglyph web domains

Homoglyphs are characters from other scripts, which can look like Latin letters. They are used in domain names and they are very hard to spot.

Cyber attack targeted Spanish beer maker Damm; halted brewery operations

Damm, Spain's second largest beer-making company, suffered a major cyber attack targeting one of its IT systems last week.

Related Articles

[s2Member-Login login_redirect=”” /]