Check Point Experts discovered a sharp increase in the number of attacks using the Phorpiex botnet (aka Trik), which is currently distributing the Avaddon malware using spam emails. As a result, in June Phorpiex rose from 15th to 2nd place in the ranking of the most active malware of the month, doubling its influence on organizations (compared to May of this year). Thus, the botnet attacked about 2% of organizations in the world.
More recently, Phorpiex was considered one of the most active spammer botnets. It infects Windows machines and uses them as spam bots to send messages. Such spam campaigns provide constant support and growth of the botnet, infecting all new devices, and they also bring profit to the Malware operators: other hack groups use the botnet to spread their malware (including GandCrab, Pony, Pushdo and cryptocurrency miners).
Among other things, Phorpiex operators are involved in the so-called “sexual extortion”. In English, the term sextortion, derived from the words sex (“sex”) and extortion (“extortion”), is used to denote such activity. This tactic involves intimidating users: scammers send spam, in which they try to convince their victims that they have some incriminating images or videos, and demand a ransom.
So, last year, over five months of observations, Check Point analysts tracked more than 14 bitcoins (approximately $ 115,000), which victims of extortion transferred as ransoms to Phorpiex operators.
According to estimates by Check Point analysts, as early as the fall of 2019, the Phorpiex botnet included approximately 450,000 infected computers, and currently there are more than a million of them. One bot can generate up to 30,000 emails per hour, and individual spam campaigns can affect up to 27 million users. Researchers estimate the annual income of botnet operators at about $ 500,000.
The botnet is currently distributing a new version of the Avaddon RaaS ransomware. So, in spammer messages, users are called to open the attached Zip file, after which the mentioned malware is activated, encrypts the data and requires a ransom from the victim.
Experts also note that in June, RAT and Agent Tesla infostiller rose from second place to first, while the crypto miner XMRig continues to occupy third place for the second month in a row. As a result, in June 2020, the TOP-3 of the most active malvari in the world is as follows:
- Agent tesla– Advanced Remote Access Trojan (RAT). AgentTesla has been infecting computers since 2014, acting as a keylogger and password stealer;
- Phorpiex– a botnet distributing malware, as well as engaged in sexual extortion;
- XMRig– open source software, first discovered in May 2017. Used for mining cryptocurrency Monero.
The list of malware that is most active on the territory of Russia, as usual, differs from the world, but in general has not changed for a long time. So, it included:
- Emotet – Advanced self-propagating modular trojan. It was once an ordinary banker, but recently it has been used to spread malware and campaigns. New functionality allows you to send phishing emails containing malicious attachments or links.
- Rigke –– a set of exploits; contains exploits for Internet Explorer, Flash, Java and Silverlight. The infection begins by redirecting the victim to a landing page containing a Java script that then looks for vulnerabilities and tries to exploit the problem.
- XMRig – open source software, first discovered in May 2017. Used for mining cryptocurrency Monero;