Thought DJI Wanted to Work With Me… Turns Out, Someone Wanted to Hack Me Instead.
Woke up to an email that had me grinning...a DJI collaboration request. I'm in the middle of planning an Asia trip, so this was a chance to get my hands on some gear from DJI...or so I thought.
Something wasn’t right.
🧵Thread 👇
Woke up to an email that had me grinning...a DJI collaboration request. I'm in the middle of planning an Asia trip, so this was a chance to get my hands on some gear from DJI...or so I thought.
Something wasn’t right.
🧵Thread 👇
The email felt...off. Too generic. No personal details, just the usual "We love your content and want to collaborate!" kind of fluff. Then I looked at the sender's domain: djipartner[.]live. That didn’t feel official.
WARNING: The site is still live, I am not responsible for your actions! :)
WARNING: The site is still live, I am not responsible for your actions! :)
I decided to perform a quick WHOIS lookup and found that this domain was registered 29 days ago...Boo! Definitely leaning towards a scam. I was looking forward to try out some gear from @DJIGlobal ...unless👀👀 👉👈
But hey, since I was already here, might as well have a little fun with it.
But hey, since I was already here, might as well have a little fun with it.
I checked out their website and one thing stood out—it specifically mentioned "For YouTube Partners". Okay, so this campaign is likely targeting YouTube Creators.
Once the page loaded, I went and clicked on “I am a Partner” and was immediately directed to a download page.
The site encourages its "partners" to download the materials, and upon clicking "Download Materials", I was immediately met with a list of instructions.
Great instructions don't you think?
The download was an archive (RAR) file, and when I tried to open it... password required.
At this point, I could’ve walked away, but nah, I wanted to see if I could get the password to access whatever content was in that archive. So I did what any rational person would do... and replied to the email. Heh.
Six hours later, my new "business partners" got back to me. Their reply was quite long, but buried in the email was the password!!
I got access to the contents and immediately my attention shifted towards a file with an extension of ".scr" commonly associated with screensavers, but one detail stood out: it was 88MB in size, far larger than a legitimate screensaver file.
I got access to the contents and immediately my attention shifted towards a file with an extension of ".scr" commonly associated with screensavers, but one detail stood out: it was 88MB in size, far larger than a legitimate screensaver file.
I extracted the "Advertising" file and generated a SHA256 file hash then searched for it on VirusTotal. Eight vendors flagged it as malicious, labelling this file as a loader. In other words, this file is responsible to deliver additional malware.
Looking at its history, the file wasn’t new, it was first seen back in 2019.
Analysis showed that it contacts the IP 185[.]147[.]125[.]81 on port 5000.
It also dropped two DLL files, both communicating with the same IP and port.
Reviewing the behavior logs, I noted another IP: 45[.]150[.]32[.]106.
Searching this IP on VirusTotal showed that nine vendors had flagged it as malicious and a community comment labeling it as Rhadamanthys Stealer.
Taken from Malpedia: "According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines."
That was fun!
Taken from Malpedia: "According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines."
That was fun!
SHA256 Hashes:
Archive (RAR): 8313137D25C59CBF3BFFCAD734E2F3C48678C3139896BA3BAEB188EE407EA729
Advertising ("Screensaver"): 7109cbe03a69b2ac149ebefd5f2ea2da077a660f76828dc25bf2ef93af1cf336
DLL 1: 88a2a2b3824fd8e60bf05d6979027a5e25aaecf28ba564f8c299f83cce11b06e
DLL 2: bb139ee137c034662df291847eb0e27dda56a26409a0285d2ec7642ef065ff7d
Archive (RAR): 8313137D25C59CBF3BFFCAD734E2F3C48678C3139896BA3BAEB188EE407EA729
Advertising ("Screensaver"): 7109cbe03a69b2ac149ebefd5f2ea2da077a660f76828dc25bf2ef93af1cf336
DLL 1: 88a2a2b3824fd8e60bf05d6979027a5e25aaecf28ba564f8c299f83cce11b06e
DLL 2: bb139ee137c034662df291847eb0e27dda56a26409a0285d2ec7642ef065ff7d
Key takeaways!
Take a second and always try to verify collaboration requests and sponsorships. Be cautious of newly registered domains, generic messaging, and password-protected downloads.
These tactics are designed to lure creators into running malicious files.
Pause, analyze, and verify before engaging.
Take a second and always try to verify collaboration requests and sponsorships. Be cautious of newly registered domains, generic messaging, and password-protected downloads.
These tactics are designed to lure creators into running malicious files.
Pause, analyze, and verify before engaging.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
