, 12 tweets, 5 min read Read on Twitter
Just noticed some big campaigns using @facebook's CDN...
👏
Smart from actors, as AV companies won't block their CDN.
😟
cc @GossiTheDog @x0rz
So, in past days Brazilian people got this in email.
Of course, the link not points to a file on gov website, but to a file on FB's CDN...
Here is the link: virustotal.com/en/url/85110e6…
Not only it comes from FB's CDN, but comes over HTTPS.
You can see, after 30 hours, still FUD...
Right now, the file is still available on the CDN.
If it would taken down eventually, here is the file: virustotal.com/en/file/1faa46…
Detections:
In less than 24h, more than 200.000 people opened the emails from Brazil.
And that number is the very least, likely lots more...
cc @certbr
The sample is a link file which runs PowerShell, to download a PowerShell script (also over HTTPS) and invokes it...
They are serious actors for sure.
APT?
If you are not from Brazil, all you get is an empty dll: virustotal.com/en/file/8ff95b…
cc @JAMESWT_MHT
If you are from Brazil, the response is this PowerShell script (on screenshot).
The loader dll has only 1 detection: virustotal.com/en/file/41e463…
Loader will dl some files (obviously).
Also has checks like specific things are installed or not, checks (IP) if running in BR or not, etc.
I will continue working on this later, I have something other to do in next hours...
So, got some more of the files, etc... But some things are missing, so can't continue.
Probably as campaign is over, they changed something.
But based on @ESET_Brasil's article (), final payload would be (or include) a banker. But ofc, can't tell for sure.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to MalwareHunterTeam
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!