Fake Facebook reported photo scam delivering malware

My Online Security Posted on 25 October 2018 6:37 pm by  
Share This with your friends and contacts. Help THEM to stay safe:

I have no idea at this time what malware is being delivered with this campaign. However it is abusing  Microsoft,  Google  and Amazon AWS services. When I first saw the email, I thought it was likely to be a phishing email, so was quite surprised when the link delivered a zip file.

The email is all in Portuguese. It pretends to come from your own email address but is coming from www-data@zwzcvmz17pmr3k3.d2pou50uofcu5f3q45lfq2s31h.ex.internal.cloudapp.net  

Email looks like

Facebook Inc.
Caro Usuário,

Alguém denunciou uma foto em seu álbum do Facebook recentemente.

Dados da imagem denunciada: IMG-20161224-WA0023.jpg – Data: 25/10/2018 ás 08:00

Uma imagem do seu álbum foi acusada de conter conteúdo impróprio, se você discorda que o conteúdo seja improprio ou pornográfico, acesse o link e remova a marcação de violação ou improbidade.

Ao acessar o link você terá acesso ao usuário que denunciou seu álbum.

Faça login pelo link abaixo para retirar a marcação de violação imediatamente.

VISUALIZAR IMAGEM DENUNCIADA

INFORMAÇÕES DO DENUNCIANTE

This Translates to :

Facebook Inc.
Dear User,

Someone reported a photo on their Facebook album recently.

Data of the denounced image: IMG-20161224-WA0023.jpg - Date: 10/25/2018 at 08:00

An image of your album has been accused of containing inappropriate content, if you disagree that the content is improper or pornographic, access the link and remove the mark of violation or impropriety.

By accessing the link you will have access to the user who reported your album.

Sign in at the link below to remove the violation mark immediately.

VIEW DENOUNCED IMAGE
  


DENOMINANT INFORMATION
Fake Facebook email

Fake Facebook email

All the links in the email go to https://storage.googleapis.com/get-facebook-verified/get-facebook-verified.html where you are silently redirected to http://ec2-18-231-188-208.sa-east-1.compute.amazonaws.com/hits/download.php  where a zip file is downloaded.

This zip contains another identically named zip that finally extracts to IMG-20161224-WA0023.exe Virus Total | Anyrun | Hybrid Analysis.  That is as far as I get and none of the sandboxes identify it. All I can see is connections to Google groups in the anyrun report. Hopefully one of my contacts will soon identify it & tell me what it does.

Share This with your friends and contacts. Help THEM to stay safe:

Comments

Fake Facebook reported photo scam delivering malware — No Comments

Leave a Reply

Your e-mail address will not be published. Required fields are marked *