Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd., a leading provider of cyber security solutions worldwide, has published its latest Global Threat Index for June 2020. In the past month, researchers found that the Phorpiex botnet has been delivering the Avaddon ransomware, a new Ransomware-as-a-Service (RaaS) variant that emerged in early June, via malspam campaigns, causing it to jump up 13 places to 2nd in the Top Malware listing and doubling its impact on organisations worldwide compared to May.
Phorpiex is known for spreading large-scale sextortion malspam campaigns, as well distributing other malware families as reported previously by Check Point researchers. The latest malspam messages distributed via Phorpiex try to entice recipients into opening a Zip file attachment by using a wink emoji in the email subject. The Avaddon ransomware is activated if a user clicks on the file, scrambling data on the computer and demanding a ransom in return for file decryption. In its 2019 research, Check Point found over a million Phorpiex-infected Windows computers. Researchers estimated the annual criminal revenue generated by Phorpiex botnet at approximately US$500,000.
Meanwhile, the Agent Tesla remote access trojan and info-stealer continued to have a significant impact throughout June, moving up from 2nd place in May to 1st place, while the XMRig cryptominer remains in 3rd place for the second month running.
“In the past, Phorpiex, also known as Trik, was monetised by distributing other malware such as GandCrab, Pony or Pushdo, using its hosts to mine cryptocurrency, or for sextortion scams. It’s now being used to spread a new ransomware campaign,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point. “Organisations should educate employees about how to identify the types of malspam that carry these threats, such as the latest campaign targeting users with emails containing a wink emoji, and ensuring they deploy security that actively prevents them from infecting their networks.”
The research team also warns that “OpenSSL TLS DTLS Heartbeat Information Disclosure” is the most common exploited vulnerability, impacting 45% of organisations worldwide, closely followed by “MVPower DVR Remote Code Execution” which impacts 44% of organisations worldwide. “Web Server Exposed Git Repository Information Disclosure” remains in third place, with a global impact of 38%.
Top malware families
*The arrows relate to the change in rank compared to the previous month.
This month Agent Tesla is the most popular malware with a global impact of 3% of organisations, closely followed by Phorpiex and XMRig affecting 2% of organisations each.
Top exploited vulnerabilities
This month “OpenSSL TLS DTLS Heartbeat Information Disclosure” is the most common exploited vulnerability, affecting 45% of organisations globally, closely followed by “MVPower DVR Remote Code Execution” which impacts 44% of organisations worldwide. “Web Server Exposed Git Repository Information Disclosure” remains in third place, with a global impact of 38%.
Top mobile malware families
This month Necro is the most popular malware, following by Hiddad and Lotoor.
Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database inspects over 2.5 billion websites and 500 million files daily, and identifies more than 250 million malware activities every day.