{"id":16132,"date":"2021-09-02T10:31:52","date_gmt":"2021-09-02T09:31:52","guid":{"rendered":"https:\/\/ekiwi-blog.de\/?p=16132"},"modified":"2021-09-02T10:52:02","modified_gmt":"2021-09-02T09:52:02","slug":"krita-io-scam-advertising-on-a-paid-basis","status":"publish","type":"post","link":"https:\/\/ekiwi-blog.de\/en\/16132\/krita-io-scam-advertising-on-a-paid-basis\/","title":{"rendered":"Krita.io Scam &#8211; Advertising on a paid basis"},"content":{"rendered":"<p>Krita.io scam part two. After the first attempt wanted us to download an obscure media pack with .scr files, another approach is currently on the way.<\/p>\n<p><!--more--><\/p>\n<p>The new email is basically a new version of the old scam, I made a video about:<\/p>\n<p><iframe loading=\"lazy\" width=\"560\" height=\"315\" src=\"https:\/\/www.youtube.com\/embed\/IZ5y2U59HLA\" title=\"YouTube video player\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe><\/p>\n<p>The new email is slightly different:<\/p>\n<blockquote><p>\nAdvertising on a paid basis<\/p>\n<p>Greetings, take a moment of your time with my message, thank you. Krita team wants to promote their product in your media space.<\/p>\n<p>Krita is an application for image creation and image manipulation. We focus on painting, illustration, concept art and other creative work. This is a short an incomplete list of the most important features Krita provides. Krita provides an OpenGL based canvas in addition to an unaccelerated canvas.<\/p>\n<p>We would like to consider integrating a 30-45 second promo into your media space (Facebook, Instagram, YouTube), can we consider that? <\/p>\n<p>Cheers, Krita &#8211; Digital Painting Studio\n<\/p><\/blockquote>\n<p>As you can see, there is no download link. Where is the scam?<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_1.png\" alt=\"\" width=\"634\" height=\"325\" class=\"aligncenter size-full wp-image-16133\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_1.png 634w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_1-300x154.png 300w\" sizes=\"auto, (max-width: 634px) 100vw, 634px\" \/><\/p>\n<p>The scammers want you to reply to the email. If you reply, you get another email with the download.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_2.png\" alt=\"\" width=\"499\" height=\"261\" class=\"aligncenter size-full wp-image-16135\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_2.png 499w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_2-300x157.png 300w\" sizes=\"auto, (max-width: 499px) 100vw, 499px\" \/><\/p>\n<p>So there is our download, the download is &#8220;tar.zip&#8221; file, which is strange enough.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_3.png\" alt=\"\" width=\"500\" height=\"331\" class=\"aligncenter size-full wp-image-16137\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_3.png 500w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_3-300x199.png 300w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/p>\n<p>So let us start the virtual machine to have a closer look to the file. The installer looks normal.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_4.png\" alt=\"\" width=\"197\" height=\"214\" class=\"aligncenter size-full wp-image-16139\" \/><\/p>\n<p>So let us do an online virus check with VirusTotal.com. Only two scanner flag the file as malicious.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_5.png\" alt=\"\" width=\"676\" height=\"328\" class=\"aligncenter size-full wp-image-16141\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_5.png 676w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_5-300x146.png 300w\" sizes=\"auto, (max-width: 676px) 100vw, 676px\" \/><\/p>\n<p>So lets start the application. Of course the installer is not signed, and we get a warning. The original installer is signed by the Krita foundation. But we start it anyway.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_6.png\" alt=\"\" width=\"530\" height=\"408\" class=\"aligncenter size-full wp-image-16143\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_6.png 530w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_6-300x231.png 300w\" sizes=\"auto, (max-width: 530px) 100vw, 530px\" \/><\/p>\n<p>The installation process looks normal, it seems to install Krita on our hard drive.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_7.png\" alt=\"\" width=\"632\" height=\"479\" class=\"aligncenter size-full wp-image-16145\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_7.png 632w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_7-300x227.png 300w\" sizes=\"auto, (max-width: 632px) 100vw, 632px\" \/><\/p>\n<p>At the end we are prompted to start the application, however it fails with an error message.<\/p>\n<blockquote><p>\nThis item was encoded in a format that&#8217;s not supported\n<\/p><\/blockquote>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_8.png\" alt=\"\" width=\"444\" height=\"199\" class=\"aligncenter size-full wp-image-16147\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_8.png 444w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_8-300x134.png 300w\" sizes=\"auto, (max-width: 444px) 100vw, 444px\" \/><\/p>\n<p>The .exe file the installer tries to run is the &#8220;@Krita_Soft.exe&#8221; in the application&#8217;s folder.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_9.png\" alt=\"\" width=\"668\" height=\"143\" class=\"aligncenter size-full wp-image-16149\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_9.png 668w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_9-300x64.png 300w\" sizes=\"auto, (max-width: 668px) 100vw, 668px\" \/><\/p>\n<p>So basically you run this file your system will become infected. If we analyze the .exe file with VirusTotal we get more results:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_1_2t.png\" alt=\"\" width=\"842\" height=\"567\" class=\"aligncenter size-full wp-image-16151\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_1_2t.png 842w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_1_2t-300x202.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_1_2t-768x517.png 768w\" sizes=\"auto, (max-width: 842px) 100vw, 842px\" \/><\/p>\n<p>Interesting enough the scamware also has some protection added, if we run some analyzing software like &#8220;procmon&#8221; the software refuses to start.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_1_1t.png\" alt=\"\" width=\"432\" height=\"175\" class=\"aligncenter size-full wp-image-16154\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_1_1t.png 432w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/scam_1_1t-300x122.png 300w\" sizes=\"auto, (max-width: 432px) 100vw, 432px\" \/><\/p>","protected":false},"excerpt":{"rendered":"<p>Krita.io scam part two. After the first attempt wanted us to download an obscure media pack with .scr files, another<\/p>\n","protected":false},"author":1,"featured_media":13596,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1552],"tags":[1590,1591],"class_list":["post-16132","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-internet-en","tag-scam","tag-virus-en"],"_links":{"self":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts\/16132","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/comments?post=16132"}],"version-history":[{"count":0,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts\/16132\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/media\/13596"}],"wp:attachment":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/media?parent=16132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/categories?post=16132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/tags?post=16132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}