THREAT

INTELLIGENCE
REPORT

Angola
Threat Intelligence Summary
• An organization in Angola is being attacked on average 2203 times per week in the last 6 months,
compared to 1934 attacks per organization in Africa.
• The top malware in Angola is Phorpiex.
• The top malware list in Angola includes 2 Botnets, 2 Infostealers (Formbook, Qbot) and 1 Backdoor
(Floxif).
• The most common vulnerability exploit type in Angola is Remote Code Execution, impacting 54% of the
organizations.
• Weekly impacted organizations by malware types:

Cryptominer Ransomware Mobile InfoStealer Banking Botnet

Angola Avg. 10.6% 4.1% 6.0% 9.5% 6.1% 25.9%

Africa Avg. 7.4% 3.7% 6.7% 6.9% 3.4% 13.1%

• View the latest publications by Check Point Research

©2023 Check Point Software Technologies Ltd.

Threat Landscape
• Ransomware Data Extortion – The ransomware operations pose significant challenges for the cyber criminals,
therefore many groups chose to focus on data extortion instead of encryption. Many different types of information are
considered sensitive, from corporate financial and proprietary data to personal data relating to health, financial data or
any other personal identifiable information (PII), which makes the threat of data exposure even more potent.
• Unrestrained Wipers - During 2022, there has been a noticeable shift in the scale of destructive malware
deployment. Cyberespionage activity has been supplemented by destructive cyber operations, instigated by nations
whose goal appears to be to inflict as much damage as possible.
• Hacktivism - The boundaries between state cyber-operations and hacktivism have been blurred, as more hacktivist
groups are now state – affiliated and promote nation state narratives . The hacktivist groups are better organized and
more effective than ever before.
• Cloud: Third Party Threat - There has been a significant increase in the number of attacks on cloud-based
networks per organization, which shot up by 48% in 2022 compared with 2021 indicating a shift for threat actors’
preference to scan the IP range of cloud providers gaining easier access to sensitive information or critical services.
• Weaponization of Legitimate Tools - To combat sophisticated cybersecurity solutions, threat actors are
developing and perfecting their attack techniques, which increasingly rely less on the use of custom malware and shift
instead to utilizing non-signature tools.
• For more data and examples please see Check Point Research Cyber Security: 2023 Annual Report.

©2023 Check Point Software Technologies Ltd.

Major attacks and data breaches - Africa
• Aug-23 - Researchers discovered a vulnerability in Microsoft's
Visual Studio Code (VS Code) code editor and development
environment concerning the handling of secure token storage.
Malicious extensions can exploit it to access authentication
tokens stored within Windows, Linux, and macOS credential
managers.
• Aug-23 - Kenya's government has been a victim of a massive
DDOS (Distributed Denial of Service) attack that impacted the
eCitizen portal that serves as a platform for the public to access
over 5,000 government services. The attack was conducted by
the Russia affiliated hacktivists group Anonymous Sudan.
• Jun-23 - Check Point Research has identified an ongoing
operation against targets in North Africa involving a previously
undisclosed multi-stage backdoor called Stealth Soldier. The
backdoor primarily operates surveillance functions such as file
exfiltration, screen and microphone recording, keystroke logging
and stealing browser information.
• May-23 - Check Point Research has published its threat report
for Q1 2023. According to the report, an increased amount of
threats has been observed every week in comparison to Q1
2022, with organizations in the Education and Research sector
seeing the highest increase in attacks. Additionally, organizations
in Asia and Africa have also become increasingly targeted in
2023 as opposed to previous years.
• May-23 - Hacktivist groups have targeted Israel in the past week
as the country was marking its independence day. In one attack,
the Iran affiliated group Sharp Boys leaked a 200,000-entry
database of students personal information breached Israeli
school and college network Atid. In another attack, the group
Anonymous Sudan has caused denial-of-service to multiple
Israeli government, media and corporate websites.
• Apr-23 - Various Muslim-affiliated hacktivist groups
havelaunchedOpIsrael, targeting Israeli websites with DDoS
during the past week. Among the targets hit by Anonymous
Sudan, were Israeli government subdomains, as well as websites
of universities, hospitals, media journals, airports and Israeli
companies.
©2023 Check Point Software Technologies Ltd.
Attacks per Organization - Last 6 Months
Angola Africa
3500

3000

2500

2000

1500

1000

500

0
03- 10- 17- 24- 01- 08- 15- 22- 29- 05- 12- 19- 26- 03- 10- 17- 24- 31- 07- 14- 21- 28- 04- 11- 18- 25-
Apr- Apr- Apr- Apr- May- May- May- May- May- Jun- Jun- Jun- Jun- Jul-23 Jul-23 Jul-23 Jul-23 Jul-23 Aug- Aug- Aug- Aug- Sep- Sep- Sep- Sep-
23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23

©2023 Check Point Software Technologies Ltd.

 Most Impacted Industries - Last 6 Months
Weekly Attacks per Organization - Angola

Weekly Attacks per Organization -

Africa
Communications 3531
Utilities 2822
Finance/Banking 1827 ISP/MSP 2493
Government/Military 2323
Transportation 1848
Finance/Banking 1807
Education/Research 1386
Insurance/Legal 1306
Manufacturing 556
Leisure/Hospitality 399

©2023 Check Point Software Technologies Ltd.

Top Malware - Angola- Aug-23
MALWARE FAMILY ANGOLA IMPACT AFRICA IMPACT DESCRIPTION
Phorpiex is a botnet (aka Trik) that has been active since 2010 and at its peak controlled more than
Phorpiex 24.7% 5.1% a million infected hosts. It is known for distributing other malware families via spam campaigns as
well as fueling large-scale spam and sextortion campaigns.

FormBook is an Infostealer targeting the Windows OS and was first detected in 2016. It is
marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion
Formbook 11.0% 7.7% techniques and relatively low price. FormBook harvests credentials from various web browsers,
collects screenshots, monitors and logs keystrokes, and can download and execute files according
to orders from its C&C.

Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008. It was designed to steal a
users credentials, record keystrokes, steal cookies from browsers, spy on banking activities, and
Qbot 8.2% 9.6% deploy additional malware. Often distributed via spam email, Qbot employs several anti-VM, anti-
debugging, and anti-sandbox techniques to hinder analysis and evade detection. Commencing in
2022, it emerged as one of the most prevalent Trojans.

Floxif is an info stealer and backdoor, designed for Windows OS. It was used in 2017 as part of a

6.8% 3.9%
large scale campaign in which attackers inserted Floxif (and Nyetya) into the free version of
Floxif CCleaner (a cleanup utility) thus infecting more than 2 million users, amongst them large tech
companies such as Google, Microsoft, Cisco, and Intel.

Known since 2011, Glupteba is a backdoor that gradually matured into a botnet. By 2019 it
Glupteba 6.8% 2.4% included a C&C address update mechanism through public BitCoin lists, an integral browser stealer
capability and a router exploiter.

©2023 Check Point Software Technologies Ltd.

Top Malware - Africa- Aug-23
MALWARE FAMILY AFRICA IMPACT DESCRIPTION
Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008. It was designed to steal a users credentials,

9.6%
record keystrokes, steal cookies from browsers, spy on banking activities, and deploy additional malware. Often distributed
Qbot via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade
detection. Commencing in 2022, it emerged as one of the most prevalent Trojans.

FormBook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a

7.7%
Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook
Formbook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download
and execute files according to orders from its C&C.

Fakeupdates (AKA SocGholish) is a downloader written in JavaScript. It writes the payloads to disk prior to launching them.
Fakeupdates 6.2% Fakeupdates led to further compromise via many additional malware, including GootLoader, Dridex, NetSupport,
DoppelPaymer, and AZORult.

Phorpiex is a botnet (aka Trik) that has been active since 2010 and at its peak controlled more than a million infected
Phorpiex 5.1% hosts. It is known for distributing other malware families via spam campaigns as well as fueling large-scale spam and
sextortion campaigns.

ChromeLoader 4.6%

©2023 Check Point Software Technologies Ltd.

Top Threat Source Countries- Last 6 Months

Angola

23%

34%
United States
Angola Africa
Brazil
Germany 28 United States
3% %
Netherlands South Africa
Russia Netherlands
3%
Other United Kingdom
4% Germany
54 Kenya
3% %
3%
Other
6%
3%
3%
6%

28%

©2023 Check Point Software Technologies Ltd.

 Attack Vectors for Malicious Files- Last 30 Days

There is insufficient data.

Contact data_research@checkpoint.com for assistance.

Africa

28%

Web
Email

72%

©2023 Check Point Software Technologies Ltd.

 Top Malicious File Types, Email- Last 30 Days

There is insufficient data.

Contact data_research@checkpoint.com for assistance.

Africa
exe 71%
xlam 8%
pdf 7%
rtf 5%
xls 5%
docx 2%
xlsx 1%
shtml 1%
vbs 1%
bat 1%

©2023 Check Point Software Technologies Ltd.

 Top Malicious File Types, Web- Last 30 Days
Angola

exe 45%

Africa
sh 36%
exe 62%
sh 16%
pdf 9%
dll 4%
dll 9%
eot 4%
bin 1%
ima 1%
lnk 1%
pdf 9% msi 1%

©2023 Check Point Software Technologies Ltd.

Top MITRE Techniques, Malicious EXE Files- Last 30 Days

TECHNIQUE RELATED TACTICS ANGOLA IMPACT AFRICA IMPACT

Service Execution Execution 7% 36%

Input Capture Credential Access, Collection 7% 44%

System Information Discovery Discovery 7% 53%

Execution through API Execution 7% 55%

Data Destruction Impact 7% 43%

©2023 Check Point Software Technologies Ltd.

 Top Vulnerability Exploit types - Last 30 Days
% of Impacted Organizations- Angola

Remote Code Execution 55%

Information Disclosure 50%

% of Impacted Organizations-
Authentication Bypass 39% Africa

Remote Code Execution 62%

Denial of Service 38%

Information Disclosure 61%

Authentication Bypass 49%

Denial of Service 37%

©2023 Check Point Software Technologies Ltd.

Major Malware Types trend - Angola, Last 6 Months
Cryptomining Mobile InfoStealer
Banking Botnet Ransomware
45.0%

40.0%

35.0%

30.0%
impacted organizations

25.0%

20.0%

15.0%

10.0%

5.0%

0.0%
03- 10- 17- 24- 01- 08- 15- 22- 29- 05- 12- 19- 26- 03- 10- 17- 24- 31- 07- 14- 21- 28- 04- 11- 18- 25-
Apr- Apr- Apr- Apr- May- May- May- May- May- Jun- Jun- Jun- Jun- Jul-23 Jul-23 Jul-23 Jul-23 Jul-23 Aug- Aug- Aug- Aug- Sep- Sep- Sep- Sep-
23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23

©2023 Check Point Software Technologies Ltd.

InfoStealer Attacks- Last 6 Months
Angola Africa
25.0%

20.0%
impacted organizations

15.0%

10.0%

5.0%

0.0%
03- 10- 17- 24- 01- 08- 15- 22- 29- 05- 12- 19- 26- 03- 10- 17- 24- 31- 07- 14- 21- 28- 04- 11- 18- 25-
Apr- Apr- Apr- Apr- May- May- May- May- May- Jun- Jun- Jun- Jun- Jul-23 Jul-23 Jul-23 Jul-23 Jul-23 Aug- Aug- Aug- Aug- Sep- Sep- Sep- Sep-
23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23

©2023 Check Point Software Technologies Ltd.

Banking Attacks- Last 6 Months
Angola Africa
14.0%

12.0%

10.0%
impacted organizations

8.0%

6.0%

4.0%

2.0%

0.0%
03- 10- 17- 24- 01- 08- 15- 22- 29- 05- 12- 19- 26- 03- 10- 17- 24- 31- 07- 14- 21- 28- 04- 11- 18- 25-
Apr- Apr- Apr- Apr- May- May- May- May- May- Jun- Jun- Jun- Jun- Jul-23 Jul-23 Jul-23 Jul-23 Jul-23 Aug- Aug- Aug- Aug- Sep- Sep- Sep- Sep-
23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23

©2023 Check Point Software Technologies Ltd.

Cryptominer Attacks- Last 6 Months
Angola Africa
18.0%

16.0%

14.0%

12.0%
impacted organizations

10.0%

8.0%

6.0%

4.0%

2.0%

0.0%
03- 10- 17- 24- 01- 08- 15- 22- 29- 05- 12- 19- 26- 03- 10- 17- 24- 31- 07- 14- 21- 28- 04- 11- 18- 25-
Apr- Apr- Apr- Apr- May- May- May- May- May- Jun- Jun- Jun- Jun- Jul-23 Jul-23 Jul-23 Jul-23 Jul-23 Aug- Aug- Aug- Aug- Sep- Sep- Sep- Sep-
23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23

©2023 Check Point Software Technologies Ltd.

Mobile Attacks- Last 6 Months
Angola Africa
12.0%

10.0%

8.0%
impacted organizations

6.0%

4.0%

2.0%

0.0%
03- 10- 17- 24- 01- 08- 15- 22- 29- 05- 12- 19- 26- 03- 10- 17- 24- 31- 07- 14- 21- 28- 04- 11- 18- 25-
Apr- Apr- Apr- Apr- May- May- May- May- May- Jun- Jun- Jun- Jun- Jul-23 Jul-23 Jul-23 Jul-23 Jul-23 Aug- Aug- Aug- Aug- Sep- Sep- Sep- Sep-
23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23

©2023 Check Point Software Technologies Ltd.

Botnet Attacks- Last 6 Months
Angola Africa
45.0%

40.0%

35.0%

30.0%
impacted organizations

25.0%

20.0%

15.0%

10.0%

5.0%

0.0%
03- 10- 17- 24- 01- 08- 15- 22- 29- 05- 12- 19- 26- 03- 10- 17- 24- 31- 07- 14- 21- 28- 04- 11- 18- 25-
Apr- Apr- Apr- Apr- May- May- May- May- May- Jun- Jun- Jun- Jun- Jul-23 Jul-23 Jul-23 Jul-23 Jul-23 Aug- Aug- Aug- Aug- Sep- Sep- Sep- Sep-
23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23

©2023 Check Point Software Technologies Ltd.

Ransomware Attacks- Last 6 Months
Angola Africa
16.0%

14.0%

12.0%

10.0%
impacted organizations

8.0%

6.0%

4.0%

2.0%

0.0%
03- 10- 17- 24- 01- 08- 15- 22- 29- 05- 12- 19- 26- 03- 10- 17- 24- 31- 07- 14- 21- 28- 04- 11- 18- 25-
Apr- Apr- Apr- Apr- May- May- May- May- May- Jun- Jun- Jun- Jun- Jul-23 Jul-23 Jul-23 Jul-23 Jul-23 Aug- Aug- Aug- Aug- Sep- Sep- Sep- Sep-
23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23

©2023 Check Point Software Technologies Ltd.

 CP<R> Intelligence Services
DAILY DIGEST INTELLIGENCE REPORTS
OSINT APT
Cyber Crime
Darknet
IOC List
vertical/country specific
Cyber Flashes Attack Surface

ANALYST AS A SERVICE ELITE INTELLIGENCE

Malware Triage Vulnerability Research

IOC Analysis Security Review

Reverse Eng. Dedicated Analyst

For more information, please contact sergeyshy@checkpoint.com

©2023 Check Point Software Technologies Ltd.

THANK YOU

More Info:
https://research.checkpoint.com/