The Portuguese Abuse Open Feed 0xSI_f33d is an open sharing database with the ability to collect indicators from multiple sources, developed and maintained by Segurança-Informática. This feed is based on automatic searches and is also supported by a healthy community of contributors. This makes it a reliable and trustworthy and continuously updated source, focused on the threats targeting Portuguese citizens. 0xSI_f33d is part of the official VirusTotal ingestors since July 2021 allowing the community to verify threats worldwide provided by this feed.
The Threat Report Portugal: Q2 2021 compiles data collected on the malicious campaigns that occurred from April to June, Q2, of 2021. The submissions were classified as either phishing or malware. In addition, the report highlights the threats, trends, and key takeaways of threats observed and reported into 0xSI_f33d. This report provides intelligence and indicators of compromise (IOCs) that organizations can use to fight current attacks, anticipating emerging threats, and manage security awareness in a better way.
Phishing and Malware Q2 2021
The results depicted in Figure 1 show that phishing campaigns (69,5%) were more prevalent than malware (30,5%) during Q2 2021. It is important to make reference to the values observed in Q1 2021, as phishing and malware increased significantly in this 2nd quarter.
Observing the threats by category from Jan to Dec 2020 in Figure 2, it is possible to verify that there was a high number of phishing campaigns during March, April, and Jun, and this is a strong indicator related to the COVID-19 pandemic situation.
Analyzing these results, it’s possible to notice an increased number of phishing submissions in December 2020. One of the reasons that can explain this is the ANUBIS phishing network that occurred in Portugal between November and December 2020, and the BlackFriday and Christmas season as well.
The campaigns of phishing and malware in Q1 2021 have been growing, probably as a result of the Facebook data breach leaked in early January 2021. Criminals are using those kinds of data for performing massive campaigns and targeting Portuguese Internet end users. Q2 maintains the uptrend with criminals using novel techniques to distribute phishing related to the bank sector in the wild.
In terms of malware, the popular QakBot trojan banker have been observed as an increasing threat since Q1 2021 in Portugal. This piece of malware is focused on stealing banking credentials and victim’s secrets using different techniques tactics and procedures (TTP) which have evolved over the years, including its delivery mechanisms, C2 techniques, and anti-analysis and reversing features.
For more information about the QakBot trojan check below the full analysis.
Malware by Numbers
Overall, the Satori/Mirai botnet, QakBot trojan banker, and Office and Macro documents were some of the most prevalent threats affecting Portuguese citizens during Q2 2021. Other trojan bankers’ variants and families affecting users from different banks in Portugal were also observed. These kinds of malwares come from Latin American countries in general, and the attacks are disseminated via phishing campaigns. Criminals are also using smishing to enlarge the scope and to impact a large group of victims.
In detail, URSA trojan, Javali, Lampion, and the infamous Grandoreiro; with 16 cybercriminals allegedly operating this threat arrested in Spain, are part of the malware samples submitted and analyzed during Q2 2021 onto 0xSI_f33d.
Threats by Sector
Regarding the affected sectors, Banking was the most affected with both phishing and malware campaigns hitting Portuguese citizens during Q2 2021. Next, was Retail and Technology, as the most sectors affected in this season.
The infographic containing the report can be downloaded from here in printable format: PDF or PNG.
About the author: Pedro Tavares
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
(SecurityAffairs – hacking, Threat Report Q2 2021)