Another scam addressing Youtuber, TikTok users and other social media influencers in the name of Nike.
I recently received an email from “Nike” offering a cooperation and a lot of money. This email is of course not from Nike itself. It’s an old trick to lure you into downloading an opening malware from the internet and run it.
The email offers a cooperation, just integrate something from the catalog (you have to download) and get $1000 or more.
Start working with a major sportswear brand, promote our products and become the face of the company
In general, it is best to just delete the email. Do not download anything or click any of the links.
Video promotion of Nike clothing
We offer the opportunity to promote our clothing brand by publishing video content on YouTube and TikTok, if you have any audience, this is a great opportunity to reveal yourself in the field of advertising
Download the file
However, that is what we’re going to do, since we want to find out what is behind the scam. The scam brings us to a download site (https://fromsmash.com). The download site is a service to exchange big files and is used by the scammers to host their files.
Extract the ZIP file and virus check
There you can download the ZIP file. The zip files contain several folders, mostly with images, however there is an executable file in the main directory called “Presentation.exe”. Well, this looks suspicious.
The downloaded zip file had 1,6 MB of size. As you can see the file size of the extracted file is much larger, around 554 MB of size. This is a very common trick, since most users want to check the files online with services like VirusTotal.com and with a slow internet connection the upload might take a while.
But this will not stop us, after uploading and scan some scanners indicate, that there might be something very wrong with the file, flagging the file as malicious. However, as you can see, most of the scanners currently do not detect anything. So a local antivirus software is in most cases of no help, until the vendor has updated the malware signatures.
Run the malware in Windows
Now let us run the malware in Windows. Of course, don’t do that on your Windows machine. I will do that on a throwaway virtual machine with no internet connection.
A window opens and nothing more happens. However, there is a link in the title bar of the application.
If we open the link in the Linux virtual machine, we see several files, some .txt file the application most likely tries to download and also an “instal.exe”.
Best guess is, that the “Presentation.exe” tries to download the real malware installer from that location. If you download the file, we get very clear results.
At least, when trying to download this file in the Windows virtual machine, the Windows Defender kicks in and prevents the download.
Always be careful when receiving emails with promotions and offers requiring you to download anything from the internet. In most cases best is to delete the mails. In all other cases to a very thorough check of the file with online virus scanners like VirusTotal.com.