Profile picture
MalwareHunterTeam
@malwrhunterteam
, 12 tweets, 5 min read Read on Twitter
Just noticed some big campaigns using @facebook's CDN...
👏
Smart from actors, as AV companies won't block their CDN.
😟
cc @GossiTheDog @x0rz
So, in past days Brazilian people got this in email.
Of course, the link not points to a file on gov website, but to a file on FB's CDN...
Here is the link: virustotal.com/en/url/85110e6…
Not only it comes from FB's CDN, but comes over HTTPS.
You can see, after 30 hours, still FUD...
Right now, the file is still available on the CDN.
If it would taken down eventually, here is the file: virustotal.com/en/file/1faa46…
Detections:
In less than 24h, more than 200.000 people opened the emails from Brazil.
And that number is the very least, likely lots more...
cc @certbr
The sample is a link file which runs PowerShell, to download a PowerShell script (also over HTTPS) and invokes it...
They are serious actors for sure.
APT?
If you are not from Brazil, all you get is an empty dll: virustotal.com/en/file/8ff95b…
cc @JAMESWT_MHT
If you are from Brazil, the response is this PowerShell script (on screenshot).
The loader dll has only 1 detection: virustotal.com/en/file/41e463…
Loader will dl some files (obviously).
Also has checks like specific things are installed or not, checks (IP) if running in BR or not, etc.
I will continue working on this later, I have something other to do in next hours...
So, got some more of the files, etc... But some things are missing, so can't continue.
Probably as campaign is over, they changed something.
But based on @ESET_Brasil's article (), final payload would be (or include) a banker. But ofc, can't tell for sure.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to MalwareHunterTeam
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @malwrhunterteam see all

Profile picture
MalwareHunterTeam
@malwrhunterteam
Absolutely unbelievable... today we was going through some JM actors' data... And we found... see what we found.
Poor Marriott I should say?
Just as in past year said, @DanielGallagher should be contacted for details.
@0x7fff9
This infection was alive for ~3 months from the logs we have.
Anyway, it wasn't as serious as the previous one we found (this was only a "random" supervisor it seems), but still...
Imagine after more than a year of finding an infection by NG actors, you find one by JM actors... What could be next?
🤔
😂
Read 3 tweets
Profile picture
MalwareHunterTeam
@malwrhunterteam
Let me tell a quick tale...
A football asks for all type of bad things.
After all what he asked happened, he gets angry and cries, why all these things happened w/ him.
Then, even before finishing the cry, he asks for another bunch of bad things.
Of course, these all will happen.
And repeat this infinitely.
Read 7 tweets

Related threads

Profile picture
🎄🔶🌸❄️Sakura To Yuki No Seirei❄️🌸🦋⚢⚧
@SakuraNoSeirei
So, I've waded through the Evangelical Alliance's new pastoral "guidelines" for interacting with trans people (ughh, the things I do to expose #transphobic #ciswits to the world), and let's just say it's time to tear this particular sh*t-bag a new hole.

1/n
CW: #Transphobia, #ConversionTherapy, #Zucker, #Religiously #driven #zealotry

2/n
So, straight off the bat, first page of text, the use of #language is . . . well, yeah, see for yourself:

"It is important to remember that transgender is not simply an issue to be debated;" - p5, #Transformed

*sigh*

When such language gets reinforced by insisting...

3/n
Read 176 tweets
Profile picture
Alan Sarapa
@AlanSarapa
It's time for the #Cin thread. #Days #DOOL
Let's start with Ciara mentioning to Julie that Tripp was making a romantic dinner for her. #Cin #Days
"Ciara, that's wonderful. So you're possibly going to be getting that pussy beaten up tonight? Are you sure you're ready for that? You were raped two years ago. I know that pain and so do a shit ton of women on this show." #Cin #Days
Read 136 tweets
Profile picture
reydelaplaya
@reydelaplaya
#NetNeutrality regulations were set up by the previous administration to ensure that all data, all 1s & 0s traveling across the internet were treated equally and fairly - basically a utility like water and electricity - you pay for what you use or what’s included in your plan.1/x
Doing this prevented companies like Comcast and AT&T from messing with your data and internet experience - as both of those companies had been caught, prior to #NetNeutrality, either throttling, or blocking certain websites. 2/x
I can attest personally to the AT&T one since they are my own carrier, and have been for almost 20 years. They promised us unlimited data on our iPhone packages when it first came out, then they started throttling our speeds because we were actually using it. 3/x
Read 11 tweets
Profile picture
Fatemeh Khatibloo
@fatemehx2
Incoming: Friday afternoon #Facebook / #GDPR tweetstorm, because this week has been pretty deflating for us #privacy wonks.

If you're European, you probably got an email from FB this week, with this subject line:

/1
"X, please accept our updated Terms by May 25 to continue using Facebook."

Now, let's talk about how non-compliant that subject line is. It suggest that failing to accept the new terms will result in account suspension. That's a problem.
#GDPR requires consent to be "freely given" and says that services can't be withheld just because the consumer doesn't consent to ALL THE TRACKING.

The last line of the email is "Please go to Facebook to review and accept the Terms" which reinforces the subject line threat.
Read 11 tweets
Profile picture
Sarah Eaglesfield
@zenxv
With all the concern over Facebook Privacy being highlighted with the recent Cambridge Analytica investigation, I thought I'd share some tips on how to 'clean up & crack down' on your Facebook profile. #CambridgeAnalyticaUncovered #Facebook
The obvious thing to do is shut down your profile. However, DEACTIVATING your profile does NOT delete your data. Facebook retain that in case you decide to return. This is an important distinction: if you just want to deactivate - Settings -> Manage Account -> Deactivate
If you want Facebook to delete your data, you need to go to facebook.com/help/delete_ac… - however you may want to archive your old photos and data before doing so, and to be doubly sure, you'll want to manually unlink the external apps and delete your posts and likes.
Read 12 tweets
Profile picture
Paula Chertok🗽
@PaulaChertok
50 million Facebook profiles harvested for Cambridge Analytica. Psych prof/developer Aleksandr Kogan accessed 270k FB users' data w his app, then collected their friends' data…& sold it all to Trump's data firm which used it to target ads in 2016 election theguardian.com/news/2018/mar/…
FB 2018: "We learned a psychology professor at the University of Cambridge named Dr. Aleksandr Kogan lied to us…by passing data from an app…using Facebook Login to SCL/Cambridge Analytica, a firm that does political, government… military work around the globe." FB knew in 2015
"purpose of Kogan’s work was to develop an algorithm for the 'national profiling capacity of American citizens' as part of SCL’s work on U.S. elections, according to an internal document signed by an SCL employee describing the research"– 3/2017 report theintercept.com/2017/03/30/fac…
Read 45 tweets

Trending hashtags

#Censorship #Facebook #Russian #Menatep #dog #MAGA #Russia #KGB #homophobic #Cadre #JaredKushner #DeleteFacebook #privacy #Putin #intersex #Fanpage #Religiously #bigots #Spotify #InformationWarfare #Kashmir #Parscale #ePrivacy #language #organisations

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!