Fake Facebook reported photo scam delivering malware
I have no idea at this time what malware is being delivered with this campaign. However it is abusing Microsoft, Google and Amazon AWS services. When I first saw the email, I thought it was likely to be a phishing email, so was quite surprised when the link delivered a zip file.
The email is all in Portuguese. It pretends to come from your own email address but is coming from www-data@zwzcvmz17pmr3k3.d2pou50uofcu5f3q45lfq2s31h.ex.internal.cloudapp.net
Email looks like
Facebook Inc.
Caro Usuário,Alguém denunciou uma foto em seu álbum do Facebook recentemente.
Dados da imagem denunciada: IMG-20161224-WA0023.jpg – Data: 25/10/2018 ás 08:00
Uma imagem do seu álbum foi acusada de conter conteúdo impróprio, se você discorda que o conteúdo seja improprio ou pornográfico, acesse o link e remova a marcação de violação ou improbidade.
Ao acessar o link você terá acesso ao usuário que denunciou seu álbum.
Faça login pelo link abaixo para retirar a marcação de violação imediatamente.
VISUALIZAR IMAGEM DENUNCIADA
INFORMAÇÕES DO DENUNCIANTE
This Translates to :
Facebook Inc.
Dear User,
Someone reported a photo on their Facebook album recently.
Data of the denounced image: IMG-20161224-WA0023.jpg - Date: 10/25/2018 at 08:00
An image of your album has been accused of containing inappropriate content, if you disagree that the content is improper or pornographic, access the link and remove the mark of violation or impropriety.
By accessing the link you will have access to the user who reported your album.
Sign in at the link below to remove the violation mark immediately.
VIEW DENOUNCED IMAGE
DENOMINANT INFORMATION
All the links in the email go to https://storage.googleapis.com/get-facebook-verified/get-facebook-verified.html where you are silently redirected to http://ec2-18-231-188-208.sa-east-1.compute.amazonaws.com/hits/download.php where a zip file is downloaded.
This zip contains another identically named zip that finally extracts to IMG-20161224-WA0023.exe Virus Total | Anyrun | Hybrid Analysis. That is as far as I get and none of the sandboxes identify it. All I can see is connections to Google groups in the anyrun report. Hopefully one of my contacts will soon identify it & tell me what it does.
Comments
Fake Facebook reported photo scam delivering malware — No Comments