Just noticed some big campaigns using @facebook's CDN...
👏
Smart from actors, as AV companies won't block their CDN.
😟
cc @GossiTheDog @x0rz

So, in past days Brazilian people got this in email.
Of course, the link not points to a file on gov website, but to a file on FB's CDN...

Here is the link: virustotal.com/en/url/85110e6…
Not only it comes from FB's CDN, but comes over HTTPS.
You can see, after 30 hours, still FUD...

Right now, the file is still available on the CDN.
If it would taken down eventually, here is the file: virustotal.com/en/file/1faa46…
Detections:

In less than 24h, more than 200.000 people opened the emails from Brazil.
And that number is the very least, likely lots more...
cc @certbr

The sample is a link file which runs PowerShell, to download a PowerShell script (also over HTTPS) and invokes it...

They are serious actors for sure.
APT?
If you are not from Brazil, all you get is an empty dll: virustotal.com/en/file/8ff95b…
cc @JAMESWT_MHT

If you are from Brazil, the response is this PowerShell script (on screenshot).
The loader dll has only 1 detection: virustotal.com/en/file/41e463…

Loader will dl some files (obviously).
Also has checks like specific things are installed or not, checks (IP) if running in BR or not, etc.

I will continue working on this later, I have something other to do in next hours...

So, got some more of the files, etc... But some things are missing, so can't continue.
Probably as campaign is over, they changed something.

But based on @ESET_Brasil's article (

External Tweet loading...
If nothing shows, it may have been deleted
by @cpuodzius view original on Twitter

), final payload would be (or include) a banker. But ofc, can't tell for sure.