Check Point experts found that the Phorpiex botnet (aka Trik) has increased its activity. Researchers have recorded a sharp increase in attacks using Phorpiex, which currently distributes Avaddon malware using spam emails.
As a result, in June, Phorpiex surged from 15th to 2nd place in the top of the most active malware of the month, doubling its influence on organizations (compared to May of this year). Thus, the botnet attacked about 2% of organizations in the world.More recently, Phorpiex was considered one of the most active spammer botnets. It infects Windows machines and uses them as spam bots to send messages.
Such spam campaigns provide constant support and growth of the botnet, infecting all new devices, and they also bring profit to the malware operators: other hack groups use the botnet to spread their malware (including GandCrab, Pony, Pushdo and cryptocurrency miners)”, – write Check Point specialists.
Among other things, Phorpiex operators are involved in the so-called “sexual extortion”. This tactic involves intimidating users: scammers send spam, in which they try to convince their victims that they have some incriminating images or videos, and demand a ransom.
Reference:
In English, the term sextortion, derived from the words sex and extortion, is used to denote such activity.
So, last year, after five months of observations, Check Point analysts tracked more than 14 bitcoins (approximately $ 115,000), which victims of extortion transferred as ransoms to Phorpiex operators.
According to estimates by Check Point analysts, as early as the fall of 2019, the Phorpiex botnet included approximately 450,000 infected computers, and currently there are more than a million of them.
“One bot can generate up to 30,000 emails per hour, and individual spam campaigns can affect up to 27,000,000 users”, — say Check Point analysts.
Researchers estimate the annual income of botnet operators at about $500,000.
The botnet is currently distributing a new version of the Avaddon RaaS ransomware. So, in spammer messages, users are urged to open the attached Zip file, after which the mentioned malware is activated; it encrypts the data and requires a ransom from the victim.
Experts also note that in June, RAT and Agent Tesla infostiller rose from second place to first, while the crypto miner XMRig continues to occupy third place for the second month in a row. As a result, in June 2020, the TOP-3 of the most active malware in the world was the following:
- Agent Tesla — Advanced Remote Access Trojan (RAT). AgentTesla has been infecting computers since 2014, acting as a keylogger and password stealer, specializing in attacks by oil and gas companies;
- Phorpiex — a botnet that distributes malware as well as engages in sexual extortion;
- XMRig — open source software first discovered in May 2017. Used for mining cryptocurrency Monero, oriented to Intel servers.