The Portuguese Abuse Open Feed 0xSI_f33d is a novel open sharing database with the ability to collect indicators from multiple sources, developed by Segurança-Informática. This feed is based on automatic searches and also has a strong contribution from the community. This makes it a reliable and trustworthy and continuously updated source, focused on the threats targeting Portuguese citizens.
The Threat Report Portugal: Q1 2020 compiles data collected on the malicious campaigns that occurred from January to March, Q1, of 2020. The campaigns were classified as either phishing or malware. In addition, the report highlights the threats, trends, and key takeaways of threats observed and reported into 0xSI_f33d. This report provides intelligence and indicators of compromise (IOCs) that organizations can use to fight current attacks, anticipating emerging threats, and manage security awareness in a better way.
The results depicted in Figure 1 show that phishing campaigns (57,7%) were more prevalent than malware (42,3%) during Q1 2020.
Observing the threats by category, it is possible to verify that there was a decrease in the number of malware incidents in contrast to an increase in the cases of phishing over Q1 2020.
From Figure 2, January presented a total of 15 phishing campaigns, 29 in February and 46 during March. It is crucial to monitor this growth indicator to predict the trend for the next months.
On the other hand, January was the month where malware was spotlighted, with the Lampion Trojan in place. This piece of malware was identified at the end of December 2019 using template emails from the Portuguese Government Finance & Tax and Energias de Portugal (EDP) with the goal of collecting banking details from victim’s devices.
Overall, the Lampion Trojan malware was the most prevalent malware targeting Portuguese citizens during Q1 2020. Trojan bankers affecting users from different banks in Portugal were also observed. These kinds of malwares come from Brazil and are related to the same group that is launching attacks via phishing campaigns and recurring also to smishing to enlarge the scope.
In a research conducted by Segurança-Informática, where the whole phishing chain was described, it is possible to validate that the Android trojan bankers used Android webviews to remotely load the phishing-landing page. Those landing-pages were the same that were used in the current phishing waves, confirming that the threat group is the same.
Indeed, the same threat, with the same modus operandi is common amongst different bank organizations.
In third place, is the infamous Emotet malware. Emotet has been reported in domains under Portuguese TLD (.pt). For more details about this threat, please access the Threat Report: Emotet Triple Chain Analysis 2019 – Portugal.
Regarding the affected sectors (Figure 5), Banking was the most affected with both phishing and malware campaigns hitting Portuguese citizens during Q1 2020. Next, was Financing due to the Lampion Trojan and Retail, as the most sectors affected in this season.
Threat campaigns during Q2 will be published on a daily basis into 0xSI_f33d, as well as additional incidents (e.g., EDP Group ransomware attack via RagnarLocker). investigations are being documented and published on Segurança-Informatica.
About the author Pedro Tavares
Pedro Tavares is a professional in the field of information security, working as an Ethical Hacker, Malware Analyst, Cybersecurity Analyst and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
Read more here.