{"id":16340,"date":"2021-09-15T20:06:38","date_gmt":"2021-09-15T19:06:38","guid":{"rendered":"https:\/\/ekiwi-blog.de\/?p=16340"},"modified":"2021-09-15T20:43:01","modified_gmt":"2021-09-15T19:43:01","slug":"malware-nike-offers-jobs-mail","status":"publish","type":"post","link":"https:\/\/ekiwi-blog.de\/en\/16340\/malware-nike-offers-jobs-mail\/","title":{"rendered":"Malware: Nike offers jobs mail"},"content":{"rendered":"<p>Another scam addressing Youtuber, TikTok users and other social media influencers in the name of Nike.<\/p>\n<p><!--more--><\/p>\n<p>I recently received an email from &#8220;Nike&#8221; offering a cooperation and a lot of money. This email is of course not from Nike itself. It&#8217;s an old trick to lure you into downloading an opening malware from the internet and run it.<\/p>\n<p><iframe loading=\"lazy\" width=\"560\" height=\"315\" src=\"https:\/\/www.youtube.com\/embed\/SxtVVwqxw7I\" title=\"YouTube video player\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe><\/p>\n<p>The email offers a cooperation, just integrate something from the catalog (you have to download) and get $1000 or more. <\/p>\n<blockquote><p>\nStart working with a major sportswear brand, promote our products and become the face of the company\n<\/p><\/blockquote>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_1.jpg\" alt=\"\" width=\"928\" height=\"635\" class=\"aligncenter size-full wp-image-16341\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_1.jpg 928w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_1-300x205.jpg 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_1-768x526.jpg 768w\" sizes=\"auto, (max-width: 928px) 100vw, 928px\" \/><\/p>\n<p>In general, it is best to just delete the email. Do not download anything or click any of the links.<\/p>\n<blockquote><p>\nVideo promotion of Nike clothing<br \/>\nWe offer the opportunity to promote our clothing brand by publishing video content on YouTube and TikTok, if you have any audience, this is a great opportunity to reveal yourself in the field of advertising\n<\/p><\/blockquote>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of content<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/ekiwi-blog.de\/en\/16340\/malware-nike-offers-jobs-mail\/#Download_the_file\" >Download the file<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/ekiwi-blog.de\/en\/16340\/malware-nike-offers-jobs-mail\/#Extract_the_ZIP_file_and_virus_check\" >Extract the ZIP file and virus check<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/ekiwi-blog.de\/en\/16340\/malware-nike-offers-jobs-mail\/#Run_the_malware_in_Windows\" >Run the malware in Windows<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/ekiwi-blog.de\/en\/16340\/malware-nike-offers-jobs-mail\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Download_the_file\"><\/span>Download the file<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>However, that is what we&#8217;re going to do, since we want to find out what is behind the scam. The scam brings us to a download site (https:\/\/fromsmash.com). The download site is a service to exchange big files and is used by the scammers to host their files.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_2.png\" alt=\"\" width=\"345\" height=\"344\" class=\"aligncenter size-full wp-image-16343\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_2.png 345w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_2-300x300.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_2-150x150.png 150w\" sizes=\"auto, (max-width: 345px) 100vw, 345px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Extract_the_ZIP_file_and_virus_check\"><\/span>Extract the ZIP file and virus check<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>There you can download the ZIP file. The zip files contain several folders, mostly with images, however there is an executable file in the main directory called &#8220;Presentation.exe&#8221;. Well, this looks suspicious.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_3.png\" alt=\"\" width=\"554\" height=\"427\" class=\"aligncenter size-full wp-image-16345\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_3.png 554w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_3-300x231.png 300w\" sizes=\"auto, (max-width: 554px) 100vw, 554px\" \/><\/p>\n<p>The downloaded zip file had 1,6 MB of size. As you can see the file size of the extracted file is much larger, around 554 MB of size. This is a very common trick, since most users want to check the files online with services like VirusTotal.com and with a slow internet connection the upload might take a while.<\/p>\n<p>But this will not stop us, after uploading and scan some scanners indicate, that there might be something very wrong with the file, flagging the file as malicious. However, as you can see, most of the scanners currently do not detect anything. So a local antivirus software is in most cases of no help, until the vendor has updated the malware signatures.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_4.png\" alt=\"\" width=\"704\" height=\"615\" class=\"aligncenter size-full wp-image-16347\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_4.png 704w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_4-300x262.png 300w\" sizes=\"auto, (max-width: 704px) 100vw, 704px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Run_the_malware_in_Windows\"><\/span>Run the malware in Windows<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Now let us run the malware in Windows. Of course, don&#8217;t do that on your Windows machine. I will do that on a throwaway virtual machine with no internet connection.<\/p>\n<p>A window opens and nothing more happens. However, there is a link in the title bar of the application.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_5.png\" alt=\"\" width=\"561\" height=\"199\" class=\"aligncenter size-full wp-image-16349\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_5.png 561w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_5-300x106.png 300w\" sizes=\"auto, (max-width: 561px) 100vw, 561px\" \/><\/p>\n<p>If we open the link in the Linux virtual machine, we see several files, some .txt file the application most likely tries to download and also an &#8220;instal.exe&#8221;.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_6.png\" alt=\"\" width=\"853\" height=\"421\" class=\"aligncenter size-full wp-image-16351\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_6.png 853w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_6-300x148.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_6-768x379.png 768w\" sizes=\"auto, (max-width: 853px) 100vw, 853px\" \/><\/p>\n<p>Best guess is, that the &#8220;Presentation.exe&#8221; tries to download the real malware installer from that location. If you download the file, we get very clear results.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_7.png\" alt=\"\" width=\"860\" height=\"593\" class=\"aligncenter size-full wp-image-16353\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_7.png 860w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_7-300x207.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_7-768x530.png 768w\" sizes=\"auto, (max-width: 860px) 100vw, 860px\" \/><\/p>\n<p>At least, when trying to download this file in the Windows virtual machine, the Windows Defender kicks in and prevents the download.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_8.png\" alt=\"\" width=\"389\" height=\"204\" class=\"aligncenter size-full wp-image-16355\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_8.png 389w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/nike_8-300x157.png 300w\" sizes=\"auto, (max-width: 389px) 100vw, 389px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Always be careful when receiving emails with promotions and offers requiring you to download anything from the internet. In most cases best is to delete the mails. In all other cases to a very thorough check of the file with online virus scanners like <a href=\"https:\/\/virustotal.com\" target=\"_blank\" rel=\"noopener\">VirusTotal.com<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>Another scam addressing Youtuber, TikTok users and other social media influencers in the name of Nike.<\/p>\n","protected":false},"author":1,"featured_media":16357,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1552],"tags":[1601,1590,1602],"class_list":["post-16340","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-internet-en","tag-malware-en","tag-scam","tag-security-en"],"_links":{"self":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts\/16340","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/comments?post=16340"}],"version-history":[{"count":0,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts\/16340\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/media\/16357"}],"wp:attachment":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/media?parent=16340"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/categories?post=16340"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/tags?post=16340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}