BREX_FEBIPOS.OKZ

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It arrives as a component bundled with malware/grayware packages. It may be manually installed by a user.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It arrives as a component bundled with malware/grayware packages.

It may be manually installed by a user.

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Update status (Facebook)
• Post comments (Facebook)
• Post to friend's wall (Facebook)
• Like pages (Facebook)
• Follow account (Facebook)
• Send messages and links via chat (Facebook)
• Post messages (Facebook)
• Tagged friends (Facebook)
• Join a group (Facebook)
• Delete cookies

It connects to the following websites to send and receive information:

• {BLOCKED}s.{BLOCKED}g.us/widget/brasilgeral.pnh
• {BLOCKED}s.{BLOCKED}g.us/widget/fbbrstoreo.pnh
• http://{BLOCKED}rais.info/sqlvarbr.php
• http://{BLOCKED}rais.info/decaptcha/makejpg.php
• http://{BLOCKED}rais.info/decaptcha/xtracpnovo.php
• http://{BLOCKED}rais.info/error/report.php
• http://{BLOCKED}rais.info/linkpool/insertlink.php

NOTES:
This backdoor injects in pages which contains the following strings:

• *://*.facebook.com/*
• *://*.twitter.com/*
• *://*.google.com/*
• *://*.youtube.com/*