The Portuguese Abuse Open Feed 0xSI_f33d is an open sharing database with the ability to collect indicators from multiple sources, developed and maintained by Segurança-Informática. This feed is based on automatic searches and is also supported by a healthy community of contributors. This makes it a reliable and trustworthy and continuously updated source, focused on the threats targeting Portuguese citizens. 0xSI_f33d is part of the official VirusTotal ingestors since July 2021 allowing the community to verify threats worldwide provided by this feed.
The Threat Report Portugal: Q4 2021 compiles data collected on the malicious campaigns that occurred from October to December, Q4, of 2021. The submissions were classified as either phishing or malware. In addition, the report highlights the threats, trends, and key takeaways of threats observed and reported into 0xSI_f33d. This report provides intelligence and indicators of compromise (IOCs) that organizations can use to fight current attacks, anticipate emerging threats, and manage security awareness in a better way.
Phishing and Malware Q4 2021
The results depicted in Figure 1 show that phishing campaigns (92,2%) were more prevalent than malware (7,8%) during Q4 2021. A growing trend in phishing submissions was observed in Q4 (1180), with malware having 7.8% of the total, in comparison with 20.2% in Q3 2021.
Regarding Q1 2021, the campaigns of phishing and malware increased in reference to 2020, probably as a result of the Facebook data breach leaked in early January 2021. Criminals are using those kinds of data for performing massive campaigns and targeting Portuguese Internet end users. Q2 maintained the uptrend with criminals using novel techniques to distribute phishing related to the bank sector in the wild. Also, campaigns related to the Autoridade Tributária e Aduaneira were observed, using Telegram to notify criminals about new infections. August ended with a massive campaign impersonating the Continente supermarket brand, with a lot of domains submitted into the 0xSI_f33d.
In terms of malware, the popular QakBot trojan banker was observed as an increased threat in Q1-Q3 2021 in Portugal. This piece of malware is focused on stealing banking credentials and victims’ secrets using different techniques tactics and procedures (TTP) which have evolved over the years, including its delivery mechanisms, C2 techniques, and anti-analysis and reversing features.
Also, two new pieces of malware were documented: HorusEyes RAT taking advantage of a RAT that comes from underground forums, and the dangerous and 100% FullyUndetectable (FUD) Maxtrilha trojan.
For more information about the Maxtrilha trojan check below the full analysis.
Last, it is possible to verify that there was a high number of phishing campaigns in November and December, and this is an indicator connected to a social engineering campaign related to package delivery services, including CTT, DHL, UPS, FedEx, etc. Notice that, this campaign has been tracked by Segurança-Informática and all the malicious domains submitted on the 0xSI_f33d every day.
Malware by Numbers
Overall, the Satori/Mirai botnet, MS Office documents (macros), and Qakbot trojan were some of the most prevalent threats affecting Portuguese citizens during Q4 2021. Other trojan bankers variants and families affecting users from different banks in Portugal were also observed. These kinds of malwares come from Brazil and the attacks are disseminated via phishing campaigns. Criminals are also using smishing to enlarge the scope and to impact a large group of victims.
Threats by Sector
Regarding the affected sectors, Retail was the most affected with both phishing and malware campaigns hitting Portuguese citizens during Q4 2021. Next, was Banking and Health, as the most sectors affected in this season.
Threat campaigns during Q1 2022 will be published on a daily basis into 0xSI_f33d, as well as additional incidents and investigations that are being documented and published on Segurança-Informatica.
The infographic containing the report can be downloaded from here in printable format: PDF or PNG.
Download: [PDF] or [PNG]
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.