{"id":16297,"date":"2021-09-12T12:44:50","date_gmt":"2021-09-12T11:44:50","guid":{"rendered":"https:\/\/ekiwi-blog.de\/?p=16297"},"modified":"2021-09-17T15:25:04","modified_gmt":"2021-09-17T14:25:04","slug":"update-krita-io-scam-how-about-a-collaboration","status":"publish","type":"post","link":"https:\/\/ekiwi-blog.de\/en\/16297\/update-krita-io-scam-how-about-a-collaboration\/","title":{"rendered":"Update: Krita.io scam &#8211; How about a collaboration?"},"content":{"rendered":"<p>Krita.io scam keeps on going, time for an update.<\/p>\n<p><!--more--><\/p>\n<p>The basic structure behind the scam is still the same, you get an email offering a promotion for a YouTube campaign.<\/p>\n<p><iframe loading=\"lazy\" width=\"560\" height=\"315\" src=\"https:\/\/www.youtube.com\/embed\/c6LcT3TBnkE\" title=\"YouTube video player\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe><\/p>\n<p>The mail looks like that:<\/p>\n<blockquote><p>\nWelcome to Krita<br \/>\nHey, take a moment of your time with my message, thank you. Krita team wants to promote their product in your media space.\n<\/p><\/blockquote>\n<p>Sometimes there is a download link to some sort of media base in the email, which contains the malware, but often you have to reply. So I did and I got the following offer.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_1.jpg\" alt=\"\" width=\"350\" height=\"418\" class=\"aligncenter size-full wp-image-16298\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_1.jpg 350w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_1-251x300.jpg 251w\" sizes=\"auto, (max-width: 350px) 100vw, 350px\" \/><\/p>\n<blockquote><p>\nThank you for your interest in promoting Krita, we appreciate your support. Briefly, we are considering the following promotion option: 30-45 second mention on your YouTube video, Facebook post, Instagram Story.<br \/>\nHow much does 30-45 seconds of video on your YT channel cost? (Instagram Story, Facebook post)\n<\/p><\/blockquote>\n<p>The mail contains the download links, currently from &#8220;getkrita.com&#8221; but before that &#8220;krita.io&#8221; and &#8220;krita.app&#8221;.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_2.png\" alt=\"\" width=\"467\" height=\"355\" class=\"aligncenter size-full wp-image-16300\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_2.png 467w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_2-300x228.png 300w\" sizes=\"auto, (max-width: 467px) 100vw, 467px\" \/><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of content<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/ekiwi-blog.de\/en\/16297\/update-krita-io-scam-how-about-a-collaboration\/#Malware_analysis\" >Malware analysis<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/ekiwi-blog.de\/en\/16297\/update-krita-io-scam-how-about-a-collaboration\/#Krita_installer\" >Krita installer<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/ekiwi-blog.de\/en\/16297\/update-krita-io-scam-how-about-a-collaboration\/#Analysis_of_the_media_bank_files\" >Analysis of the media bank files<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/ekiwi-blog.de\/en\/16297\/update-krita-io-scam-how-about-a-collaboration\/#Running_the_software_in_Windows\" >Running the software in Windows<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/ekiwi-blog.de\/en\/16297\/update-krita-io-scam-how-about-a-collaboration\/#The_end\" >The end<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/ekiwi-blog.de\/en\/16297\/update-krita-io-scam-how-about-a-collaboration\/#Update_Cakewalk_Business_Request\" >Update: Cakewalk Business Request<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Malware_analysis\"><\/span>Malware analysis<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>So let&#8217;s have a look at the downloads. In general, I do not recommend clicking on the links or download anything. Just delete the email and you are good. Since the question came up when the computer system is in danger, the download and unzipping is usually safe. Your system gets infected when you run one of the executable files from the downloads.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Krita_installer\"><\/span>Krita installer<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>OK, let us look the first download, the Krita &#8220;Installer&#8221;. The first check with <a href=\"https:\/\/virustotal.com\" target=\"_blank\" rel=\"noopener\">VirusTotal.com<\/a> reveals that the installer is not the official installer.<\/p>\n<p>The &#8220;Krita installer&#8221; results are currently quite alarming, only one antivirus software detects the virus at the moment.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_3.png\" alt=\"\" width=\"670\" height=\"548\" class=\"aligncenter size-full wp-image-16302\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_3.png 670w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_3-300x245.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_3-80x64.png 80w\" sizes=\"auto, (max-width: 670px) 100vw, 670px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Analysis_of_the_media_bank_files\"><\/span>Analysis of the media bank files<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The media bank contains several folders and files.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_4.png\" alt=\"\" width=\"539\" height=\"173\" class=\"aligncenter size-full wp-image-16304\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_4.png 539w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_4-300x96.png 300w\" sizes=\"auto, (max-width: 539px) 100vw, 539px\" \/><\/p>\n<p>The malware is hidden in the video and promotion folder.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_5.png\" alt=\"\" width=\"521\" height=\"270\" class=\"aligncenter size-full wp-image-16306\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_5.png 521w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_5-300x155.png 300w\" sizes=\"auto, (max-width: 521px) 100vw, 521px\" \/><\/p>\n<p>There is one video file and .scr files, scr files are Windows screensaver files, which are basically .exe files with a different name.<\/p>\n<p>The scr files have a different result, more scanner flag those as malicious:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_6.png\" alt=\"\" width=\"736\" height=\"499\" class=\"aligncenter size-full wp-image-16308\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_6.png 736w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_6-300x203.png 300w\" sizes=\"auto, (max-width: 736px) 100vw, 736px\" \/><\/p>\n<p>But still, I lot of scanner still do not find the files suspicious yet.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Running_the_software_in_Windows\"><\/span>Running the software in Windows<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>I use a virtual machine with Windows to run the software. I do not recommend doing that on your real system, of course. But let us see what happens.<\/p>\n<p>The Krita installer is not signed, which the original installer is.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_7.png\" alt=\"\" width=\"474\" height=\"391\" class=\"aligncenter size-full wp-image-16310\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_7.png 474w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_7-300x247.png 300w\" sizes=\"auto, (max-width: 474px) 100vw, 474px\" \/><\/p>\n<p>The next steps of the installation process are looking normal.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_8.png\" alt=\"\" width=\"628\" height=\"232\" class=\"aligncenter size-full wp-image-16312\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_8.png 628w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_8-300x111.png 300w\" sizes=\"auto, (max-width: 628px) 100vw, 628px\" \/><\/p>\n<p>After installation, a file from the installation folder is run &#8220;@Krita_Soft.exe&#8221;. This file contains the malware.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_9.png\" alt=\"\" width=\"407\" height=\"246\" class=\"aligncenter size-full wp-image-16314\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_9.png 407w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_9-300x181.png 300w\" sizes=\"auto, (max-width: 407px) 100vw, 407px\" \/><\/p>\n<p>After starting, an error message appears and your system is most likely infected.<\/p>\n<blockquote><p>\nThis application could not be started\n<\/p><\/blockquote>\n<p>A similar message appears when we run the scr files from the media bank.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_10.png\" alt=\"\" width=\"496\" height=\"277\" class=\"aligncenter size-full wp-image-16316\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_10.png 496w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_10-300x168.png 300w\" sizes=\"auto, (max-width: 496px) 100vw, 496px\" \/><\/p>\n<blockquote><p>\nThis item was encoded in a form that&#8217;s not supported\n<\/p><\/blockquote>\n<p>It looks like the software is not running, however both processes run in the background after that:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_11.jpg.png\" alt=\"\" width=\"338\" height=\"186\" class=\"aligncenter size-full wp-image-16318\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_11.jpg.png 338w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/krita_en_11.jpg-300x165.png 300w\" sizes=\"auto, (max-width: 338px) 100vw, 338px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_end\"><\/span>The end<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The best thing is to be careful with these mails. Currently, mails are not only coming from &#8220;Krita&#8221;, but also with different labels like BlackMagic, FxSound product. If an offer to too good to be true, it most likely is.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Update_Cakewalk_Business_Request\"><\/span>Update: Cakewalk Business Request<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>A similar request arrived today from &#8220;Cakewalk&#8221; offering the same offer. However, the basic mechanism is the same, download our software and install it.<br \/>\nSo be carefull.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/cake_walk.jpg\" alt=\"\" width=\"626\" height=\"371\" class=\"aligncenter size-full wp-image-16378\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/cake_walk.jpg 626w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/cake_walk-300x178.jpg 300w\" sizes=\"auto, (max-width: 626px) 100vw, 626px\" \/><\/p>","protected":false},"excerpt":{"rendered":"<p>Krita.io scam keeps on going, time for an update.<\/p>\n","protected":false},"author":1,"featured_media":13596,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1552],"tags":[1601,1590,1591],"class_list":["post-16297","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-internet-en","tag-malware-en","tag-scam","tag-virus-en"],"_links":{"self":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts\/16297","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/comments?post=16297"}],"version-history":[{"count":0,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts\/16297\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/media\/13596"}],"wp:attachment":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/media?parent=16297"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/categories?post=16297"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/tags?post=16297"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}