The Portuguese Abuse Open Feed 0xSI_f33d is an open sharing database with the ability to collect indicators from multiple sources, developed and maintained by Segurança-Informática. This feed is based on automatic searches and is also supported by a healthy community of contributors. This makes it a reliable and trustworthy and continuously updated source, focused on the threats targeting Portuguese citizens. 0xSI_f33d is part of the official VirusTotal ingestors since July 2021 allowing the community to verify threats worldwide provided by this feed.
The Threat Report Portugal: Q3 2021 compiles data collected on the malicious campaigns that occurred from July to September, Q3, of 2021. The submissions were classified as either phishing or malware. In addition, the report highlights the threats, trends, and key takeaways of threats observed and reported into 0xSI_f33d. This report provides intelligence and indicators of compromise (IOCs) that organizations can use to fight current attacks, anticipating emerging threats, and manage security awareness in a better way.
The results depicted in Figure 1 show that phishing campaigns (79,8%) were more prevalent than malware (20,2%) during Q3 2021. It is important to make reference to the values observed in Q2 2021, as phishing (69,5%) and malware (30,5%) increased significantly in this 3rd quarter.
Observing the threats by category from Jan to Dec 2020 in Figure 2, it is possible to verify that there was a high number of phishing campaigns during March, April, and Jun, and this is a strong indicator related to the COVID-19 pandemic situation.
Analyzing these results, it’s possible to notice an increased number of phishing submissions in December 2020. One of the reasons that can explain this is the ANUBIS phishing network that occurred in Portugal between November and December 2020, and the BlackFriday and Christmas season as well. It’s expected this year a BOOM again in terms of malicious campaigns, with the Internet users using the Internet and online platforms to buy Christmas gifts.
The campaigns of phishing and malware in Q1 2021 increased, probably as a result of the Facebook data breach leaked in early January 2021. Criminals are using those kinds of data for performing massive campaigns and targeting Portuguese Internet end users. Q2 maintains the uptrend with criminals using novel techniques to distribute phishing related to the bank sector in the wild. Also, campaigns related to the Autoridade Tributária e Aduaneira were observed, using Telegram to notify criminals about new infections. August ends with a massive campaign impersonating the Continente supermarket brand, with a lot of domains submitted into the 0xSI_f33d.
In terms of malware, the popular QakBot trojan banker has been observed as an increasing threat in Q1-Q3 2021 in Portugal. This piece of malware is focused on stealing banking credentials and victims’ secrets using different techniques tactics and procedures (TTP) which have evolved over the years, including its delivery mechanisms, C2 techniques, and anti-analysis and reversing features.
More recently, two new pieces of malware were documented: HorusEyes RAT taking advantage of a RAT that comes from underground forums, and the dangerous and 100% FullyUndetectable (FUD) Maxtrilha trojan.
For more information about the Maxtrilha trojan check below the full analysis.
Overall, Office and Macro documents, QakBot trojan banker, Satori/Mirai botnet, and Maxtrilha trojan were some of the most prevalent threats affecting Portuguese citizens during Q3 2021. Other trojan bankers’ variants and families affecting users from different banks in Portugal were also observed. These kinds of malwares come from Latin American countries in general, and the attacks are disseminated via phishing campaigns. Criminals are also using smishing to enlarge the scope and to impact a large group of victims.
Regarding the affected sectors, Banking was the most affected with both phishing and malware campaigns hitting Portuguese citizens during Q3 2021. Next, was Retail and Technology, as the most sectors affected in this season.
The infographic containing the report can be downloaded from here in printable format: PDF or PNG.
About the author: Pedro Tavarez
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog seguranca–informatica.pt.
(SecurityAffairs – hacking, Threat Report Portugal)