Krita.io scam part two. After the first attempt wanted us to download an obscure media pack with .scr files, another approach is currently on the way.
The new email is basically a new version of the old scam, I made a video about:
The new email is slightly different:
Advertising on a paid basis
Greetings, take a moment of your time with my message, thank you. Krita team wants to promote their product in your media space.
Krita is an application for image creation and image manipulation. We focus on painting, illustration, concept art and other creative work. This is a short an incomplete list of the most important features Krita provides. Krita provides an OpenGL based canvas in addition to an unaccelerated canvas.
We would like to consider integrating a 30-45 second promo into your media space (Facebook, Instagram, YouTube), can we consider that?
Cheers, Krita – Digital Painting Studio
As you can see, there is no download link. Where is the scam?
The scammers want you to reply to the email. If you reply, you get another email with the download.
So there is our download, the download is “tar.zip” file, which is strange enough.
So let us start the virtual machine to have a closer look to the file. The installer looks normal.
So let us do an online virus check with VirusTotal.com. Only two scanner flag the file as malicious.
So lets start the application. Of course the installer is not signed, and we get a warning. The original installer is signed by the Krita foundation. But we start it anyway.
The installation process looks normal, it seems to install Krita on our hard drive.
At the end we are prompted to start the application, however it fails with an error message.
This item was encoded in a format that’s not supported
The .exe file the installer tries to run is the “@Krita_Soft.exe” in the application’s folder.
So basically you run this file your system will become infected. If we analyze the .exe file with VirusTotal we get more results:
Interesting enough the scamware also has some protection added, if we run some analyzing software like “procmon” the software refuses to start.