Check Point Research, the Threat Intelligence arm of Check Point Software Technologies Ltd. , has published its latest Global Threat Index for November 2020, showing a new surge in infections by the well-known Phorpiex botnet which has made it the month’s most prevalent malware, impacting 4% of organizations globally. Phorpiex was last seen in the Threat Index’s top 10 in June this year.
The Phorpiex botnet was first reported in 2010, and at its peak controlled more than a million infected hosts. Known for distributing other malware families via spam as well as fueling large-scale “sextortion” spam campaigns and cryptomining, Phorpiex has again been distributing the Avaddon ransomware, as Check Point researchers originally reported earlier this year. Avaddon is a relatively new Ransomware-as-a-Service (RaaS) variant, and its operators have again been recruiting affiliates to distribute the ransomware for a cut of the profits. Avaddon has been distributed via JS and Excel files as part of malspam campaigns and is able to encrypt a wide range of file types.
“Phorpiex is one of the oldest and most persistent botnets, and has been used by its creators for many years to distribute other malware payloads such as GandCrab and Avaddon ransomware, or for sextortion scams. This new wave of infections is now spreading another ransomware campaign, which shows just how effective a tool Phorpiex is,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point. “Organizations should educate employees about how to identify potential malspam and to be wary of opening unknown attachments in emails, even if they appear to come from a trusted source. They should also ensure they deploy security that actively prevents them from infecting their networks.”
The research team also warns that “HTTP Headers Remote Code Execution (CVE-2020-13756)” is the most common exploited vulnerability, impacting 54% of organizations globally, followed by “MVPower DVR Remote Code Execution” impacted 48% of organizations worldwide and “Dasan GPON Router Authentication Bypass (CVE-2018-10561) impacted 44% of organizations globally.
