Krita.io scam keeps on going, time for an update.
The basic structure behind the scam is still the same, you get an email offering a promotion for a YouTube campaign.
The mail looks like that:
Welcome to Krita
Hey, take a moment of your time with my message, thank you. Krita team wants to promote their product in your media space.
Sometimes there is a download link to some sort of media base in the email, which contains the malware, but often you have to reply. So I did and I got the following offer.
Thank you for your interest in promoting Krita, we appreciate your support. Briefly, we are considering the following promotion option: 30-45 second mention on your YouTube video, Facebook post, Instagram Story.
How much does 30-45 seconds of video on your YT channel cost? (Instagram Story, Facebook post)
The mail contains the download links, currently from “getkrita.com” but before that “krita.io” and “krita.app”.
Malware analysis
So let’s have a look at the downloads. In general, I do not recommend clicking on the links or download anything. Just delete the email and you are good. Since the question came up when the computer system is in danger, the download and unzipping is usually safe. Your system gets infected when you run one of the executable files from the downloads.
Krita installer
OK, let us look the first download, the Krita “Installer”. The first check with VirusTotal.com reveals that the installer is not the official installer.
The “Krita installer” results are currently quite alarming, only one antivirus software detects the virus at the moment.
Analysis of the media bank files
The media bank contains several folders and files.
The malware is hidden in the video and promotion folder.
There is one video file and .scr files, scr files are Windows screensaver files, which are basically .exe files with a different name.
The scr files have a different result, more scanner flag those as malicious:
But still, I lot of scanner still do not find the files suspicious yet.
Running the software in Windows
I use a virtual machine with Windows to run the software. I do not recommend doing that on your real system, of course. But let us see what happens.
The Krita installer is not signed, which the original installer is.
The next steps of the installation process are looking normal.
After installation, a file from the installation folder is run “@Krita_Soft.exe”. This file contains the malware.
After starting, an error message appears and your system is most likely infected.
This application could not be started
A similar message appears when we run the scr files from the media bank.
This item was encoded in a form that’s not supported
It looks like the software is not running, however both processes run in the background after that:
The end
The best thing is to be careful with these mails. Currently, mails are not only coming from “Krita”, but also with different labels like BlackMagic, FxSound product. If an offer to too good to be true, it most likely is.
Update: Cakewalk Business Request
A similar request arrived today from “Cakewalk” offering the same offer. However, the basic mechanism is the same, download our software and install it.
So be carefull.