This botnet has surged back into action spreading a new ransomware campaign via phishing emails

There's been a big jump in Phorpiex botnet activity - but it's a trojan malware attack that was the most common malware campaign in June.
Written by Danny Palmer, Senior Writer

A notorious botnet campaign has surged in activity over the past month, with cyber criminals using it to distribute a ransomware campaign alongside other malware.

Researchers at cybersecurity provider Check Point analysed the most common cyber threats targeting organisations for it's June 2020 Most Wanted Malware report and saw a huge rise in attacks coming via the Phorpiex botnet.

Phorpiex is known for distributing a number of malware and spam campaigns, including largescale sextortion email campaigns, but over the course of June the number of detections increased significantly compared to May.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

The rise in Phorpiex detections grew to such an extent that it was the second most detected malware campaign during June, having been ranked at 13 in May. The number of attempted attacks was so high that 2% of organisations were targeted by the botnet.

The botnet sends out spam emails that attempt to deliver a malicious payload to victims. Over the past month it's been used to power an Avaddon ransomware campaign.

This particular ransomware family only appeared in June and Phorpeix attempts to lure victims into opening a Zip file attachment in a phishing email that uses a wink emoji as the subject. It might sound like a basic form of cyberattack, but criminals wouldn't be using it if it didn't work.

Previously, Phorpiex – which is also known as Trik – has been used to distribute spam campaigns for other forms of ransomware, including GandCrab and Pony, as well as being used to mine for cryptocurrency on infected machines.

"Organisations should educate employees about how to identify the types of malspam that carry these threats, such as the latest campaign targeting users with emails containing a wink emoji, and ensuring they deploy security that actively prevents them from infecting their networks," warned Check Point researchers in a blog post.

While Porpiex attacks have risen significantly, the most commonly detected malware during June was Agent Tesla, an advanced remote access trojan that was detected targeting 3% of organisations.

Agent Tesla is an information stealer and a keylogger, providing attackers with the ability to see absolutely everything on the infected computer, including usernames, passwords, browser history, system information and more – everything needed to very much compromise a network.

June's third most detected malware was XMRig, an open-source cryptocurrency mining malware that uses CPU power of infected machines to generate Monero. It has been active since May 2017.

SEE: DDoS botnet coder gets 13 months in prison

The remainder of the top 10 most wanted malware for June is made up of familiar names including Dridex, Trickbot, Ramnit and Emotet that have long been staples of cyber-criminal activity, either by stealing information themselves, or being used as a stepping stone for much more destructive campaigns. For example, Trickbot and Emotet are often used as the first stage of largescale ransomware attacks.

Many of the common forms of malware rely on exploits and vulnerabilities that have long been known, so can be protected against by applying security patches, which in some cases have been available for years.


Editorial standards