An alert from researchers at Check Point details how hackers use the ransomware-delivering Phorpiex botnet to initiate email-based malspam campaigns globally. Malspam campaigns using the Phorpiex botnet have spread quickly according to the research firm.
Phorpiex is Spreading Avaddon Ransomware and Sextortion Campaigns
While hackers have been using the botnet to spread large-scale sextortion malspam campaigns, they are now using the botnet to infect computers with Avaddon ransomware. Avaddon ransomware can scramble data on a computer while demanding a ransom in return for file decryption.
In 2019, over a million Phorpiex-infected Windows computers were discovered. Considering that the malware campaign has doubled in scope in May and June of 2020, the number of affected devices should continue only to get much higher.
According to Check Point, “In the past Phorpiex, also known as Trik, was monetized by distributing other malware such as GandCrab, Pony or Pushdo, using its hosts to mine cryptocurrency, or for sextortion scams. It is now being used to spread a new ransomware campaign. Organizations should educate employees about how to identify the types of malspam that carry these threats, such as the latest campaign targeting users with emails containing a wink emoji, and ensuring they deploy security that actively prevents them from infecting their networks.”
When battling malspam and phishing attacks like these, organizations need to proactively detect and respond to any abnormal user behavior in a fast and scalable way. Furthermore, it’s critical to give IT departments visibility into user behavior to attempt to quickly spot what actions aren’t ‘normal’ and take steps to stop this type of attack before it causes harm to your organization.
According to Check Point, the only malware strain that beat the Phorpiex botnet in June of 2020 in terms of scale and destructiveness was Agent Tesla, an advanced Remote Access Trojan (RAT) that also functions as a keylogger and information stealer.