Jump to content

Woah, woah, hold up! Beware of MALWARE in Buyer requests!


vepthy
 Share

Recommended Posts

Like having a Windows 10 VM for these (and anything else that involves sharing your data, even games) and Linux for everything else.

To be honest, that’s not really the right approach. If I wanted to be safe as someone who uses something like Photoshop for work and I only had 1 PC, I’d download files normally, but put them through a virus scanner in a VM, before (if they were safe) getting work done in my regular PC environment.

Using apps like Photoshop in a VM is tricky unless you have lots of spare CPU power and RAM you can devote to a VM.

You also need to differentiate between Internet privacy and security. Playing games in a VM probably won’t work to well and will not protect your privacy at all. However, it will increase your overall workstation security.

If you are a complete novice when it comes to cybersecurity, it might be best to just enable S mode in Windows 10 and do what I said about opening and scanning attachments in a VM. You can also set your firewall to block all incoming requests and only use a guest account on your device to improve security.

Those steps alone will prevent you from falling victim to the majority of virus and hacking attempts.

Hello Fiverr community!

PLEASE READ CAREFULLY, MALWARE THREAT


Backstory

Just 5 minutes ago, I was waiting for some Buyer requests when this request came in my list

1082505940_fiverrmalwarecensored.PNG.c485f5e21c6322fb434b71b6e40743e0.PNG

After downloading the ZIP file, for prevention reasons, I didn’t extract it right away. ZIP was containing these files:

  • What needs doing.lnk
  • NDA.lnk

I extracted them into a secure sandbox and firstly tried to delete them. I was unable to. After that, I immediately scanned them with Bitdefender and this is what they are:

beware..PNG.13ce99fa6d55b7bb3b91765bfe608a26.PNG


About the malware

What it does

These malware files are shortcuts that are acting like real executable files. This means that you won’t see that you ran it but it did run a script on a command prompt usually installing a ransomware/encrypter on your computer.

Read more about these malware

Details of research and related files

After researching these malware in VirusTotal, I found more information about it and files that you might stumble across on Fiverr again.

Click on this link to explore a graph with all relations of these files.


List of malicious files that you might see or have already seen:

“Freelancer.zip”

Link to detection

File hash*: c49e6926ca713a3874e02ded35b7a5c6becb6ae893026a11a670677aa457a69e

“readme.txt.Ink” (In Freelancer.zip)

Link to detection

File hash: a5c25ce54a8003f5917593f03a460ad9751e5485c249e51ba39aaace07eba87a

“xml.xml"

Link to detection

“nda.lnk" (Also known as “Bidding instructions.lnk”)

Link to detection

File hash: 36a0b667009bf16608e5122a4a3636e8bb729a7751641b8bc58b3e9eb6d24b47

“Fiverr.zip”

Link to detection

File hash: 66c6adf457a32e171404eb0400ce2229983a1572fbda4fe3c881cf43dbe97747

How to prevent from getting compromised

If you are a complete novice when it comes to cybersecurity, it might be best to just enable S mode in Windows 10 and do what I said about opening and scanning attachments in a VM. You can also set your firewall to block all incoming requests and only use a guest account on your device to improve security.

This would be your best option for these files. Many antiviruses (including scanners in browsers) can’t scan inside of a zip file.

In a real scenario, you would extract the zip file to see what’s inside and if you accidentally open one of those files, you might be compromised.

If something like virtual machines are too complicated for you, before extracting or executing an attachment, go to https://VirusTotal.com and scan the files. You can also copy an url of the attachment and put it in their search box. Website will scan your file/url with 50-60 antiviruses.

EDIT on 2020-06-19T22:00:00Z

@alikbaba2 Made a Thread: Virus appeared in one of buyer's request files

He downloaded another malware from buyer requests. He send me download link and this is the malware

It is in .zip file named “Attachments” - Virus total link

It contains “Extract.js” - Virus total link


Beware everybody.

  • Like 19
Link to comment
Share on other sites

It is not just him. From yesterday they were buyer requests for logo and link in description leads to malware website. Guess it is that time of the month for them.

Yeah.

These ones are problems as somebody that is not experienced would have hard time to remove them as they cannot be remover by a user (even if they’re administrator of the computer). One huge problem is that very high number of anti-malware softwares do not recognize this as a threat (check out VirusTotal link in my post.)

And even this is a first submission recorded!

First Submission2020-06-05 12:40:37
Last Submission2020-06-05 12:40:37
Last Analysis2020-06-05 12:40:37
Earliest Contents Modification2020-06-04 14:10:34
Latest Contents Modification2020-06-04 14:10:34
  • Like 1
Link to comment
Share on other sites

Yeah.

These ones are problems as somebody that is not experienced would have hard time to remove them as they cannot be remover by a user (even if they’re administrator of the computer). One huge problem is that very high number of anti-malware softwares do not recognize this as a threat (check out VirusTotal link in my post.)

And even this is a first submission recorded!

First Submission2020-06-05 12:40:37
Last Submission2020-06-05 12:40:37
Last Analysis2020-06-05 12:40:37
Earliest Contents Modification2020-06-04 14:10:34
Latest Contents Modification2020-06-04 14:10:34

Yes, I have seen it. Using internet is dangerous if you do not know what you are doing or you do not have AV who knows how to stop you.

  • Like 2
Link to comment
Share on other sites

Yes, I have seen it. Using internet is dangerous if you do not know what you are doing or you do not have AV who knows how to stop you.

Also, that buyer request had 2-3 custom offers meaning that somebody got baited…

  • Like 1
Link to comment
Share on other sites

Yet another reason to only go near buyer requests if your entire freelance career is on fire.

Or to avoid offers that contain .zip, .rar, .7zip… files that browsers cannot really check if they’re a thread especially if they’re new!

  • Like 1
Link to comment
Share on other sites

That’s something new. Seems like a shortcut that opens PowerShell and runs a script, there are some nasty PowerShell scripts out there. As long as you don’t open anything, you should be fine.

BTW, could someone somehow send me a sample of the files? I’d like to see what exactly they do.

  • Like 3
Link to comment
Share on other sites

Yeah.

These ones are problems as somebody that is not experienced would have hard time to remove them as they cannot be remover by a user (even if they’re administrator of the computer). One huge problem is that very high number of anti-malware softwares do not recognize this as a threat (check out VirusTotal link in my post.)

And even this is a first submission recorded!

First Submission2020-06-05 12:40:37
Last Submission2020-06-05 12:40:37
Last Analysis2020-06-05 12:40:37
Earliest Contents Modification2020-06-04 14:10:34
Latest Contents Modification2020-06-04 14:10:34

Seeing some of them also add irrelevant links. I am afraid to open those links also. Don’t know what to do!!!

Link to comment
Share on other sites

That’s something new. Seems like a shortcut that opens PowerShell and runs a script, there are some nasty PowerShell scripts out there. As long as you don’t open anything, you should be fine.

BTW, could someone somehow send me a sample of the files? I’d like to see what exactly they do.

Sure thing. Send me a message I will provide you all information. I can help you investigate if you need help.

Link to comment
Share on other sites

Hello Fiverr community!

PLEASE READ CAREFULLY, MALWARE THREAT


Backstory

Just 5 minutes ago, I was waiting for some Buyer requests when this request came in my list

fiverr malware censored

After downloading the ZIP file, for prevention reasons, I didn’t extract it right away. ZIP was containing these files:

  • What needs doing.lnk
  • NDA.lnk

I extracted them into a secure sandbox and firstly tried to delete them. I was unable to. After that, I immediately scanned them with Bitdefender and this is what they are:

beware.


About the malware

What it does

These malware files are shortcuts that are acting like real executable files. This means that you won’t see that you ran it but it did run a script on a command prompt usually installing a ransomware/encrypter on your computer.

Read more about these malware

Details of research and related files

After researching these malware in VirusTotal, I found more information about it and files that you might stumble across on Fiverr again.

Click on this link to explore a graph with all relations of these files.


List of malicious files that you might see or have already seen:

“Freelancer.zip”

Link to detection

File hash*: c49e6926ca713a3874e02ded35b7a5c6becb6ae893026a11a670677aa457a69e

“readme.txt.Ink” (In Freelancer.zip)

Link to detection

File hash: a5c25ce54a8003f5917593f03a460ad9751e5485c249e51ba39aaace07eba87a

“xml.xml"

Link to detection

“nda.lnk" (Also known as “Bidding instructions.lnk”)

Link to detection

File hash: 36a0b667009bf16608e5122a4a3636e8bb729a7751641b8bc58b3e9eb6d24b47

“Fiverr.zip”

Link to detection

File hash: 66c6adf457a32e171404eb0400ce2229983a1572fbda4fe3c881cf43dbe97747

How to prevent from getting compromised

If you are a complete novice when it comes to cybersecurity, it might be best to just enable S mode in Windows 10 and do what I said about opening and scanning attachments in a VM. You can also set your firewall to block all incoming requests and only use a guest account on your device to improve security.

This would be your best option for these files. Many antiviruses (including scanners in browsers) can’t scan inside of a zip file.

In a real scenario, you would extract the zip file to see what’s inside and if you accidentally open one of those files, you might be compromised.

If something like virtual machines are too complicated for you, before extracting or executing an attachment, go to https://VirusTotal.com and scan the files. You can also copy an url of the attachment and put it in their search box. Website will scan your file/url with 50-60 antiviruses.

EDIT on 2020-06-19T22:00:00Z

@alikbaba2 Made a Thread: Virus appeared in one of buyer's request files

He downloaded another malware from buyer requests. He send me download link and this is the malware

It is in .zip file named “Attachments” - Virus total link

It contains “Extract.js” - Virus total link


Beware everybody.

This is file hash: 66c6adf457a32e171404eb0400ce2229983a1572fbda4fe3c881cf43dbe97747

I have just opened a support ticket. I will notify you all.

  • Like 1
Link to comment
Share on other sites

@cyaxrex, @marinapomorac, @wolfhowler, @humanissocial, @fibocci, @erik_keresztes

Sorry for pinging you all. I have an update. Will post here since I can’t edit my thread.

For now, no answer from Fiverr team. Will update you on that.

I have explored the graph from file detection on VirusTotal and this is real nasty. For anyone who would like to explore himself, here you go. It is 100% safe, no worries 😉 .

Seems like that Erik was right. It executes a script that later contacts with some nasty things. Here is an image of one part of it.

graph.PNG.c94e5fd1a50367a589a330e3b2e009eb.PNG
graph919×464 44.4 KB

I have also reported this to all major browsers and seems like that all in all, antivirus detection went from 20 to 30, which is good.

Take care!

Important update:

After searching more, I found more malicious sibling files. This seems to be another one from same guy/group.

“Freelancer.zip”
Link to detection
Hash: c49e6926ca713a3874e02ded35b7a5c6becb6ae893026a11a670677aa457a69e

“readme.txt.Ink” (In Freelancer.zip)
Link to detection
Hash: a5c25ce54a8003f5917593f03a460ad9751e5485c249e51ba39aaace07eba87a

“xml.xml”
Link to detection

A microsoft thread that explains what are these doing.

  • Like 6
Link to comment
Share on other sites

It’s very dangerous to make me aware of new malware. I usually download it to keep in a file ready to send my enemies.

Nice investigating, though.

The main thing to remember is that most viruses like this depend on social engineering to be effective. Possibly, Fiverr should take note of this and prevent people from uploading files when creating a buyer request.

  • Like 1
Link to comment
Share on other sites

It’s very dangerous to make me aware of new malware. I usually download it to keep in a file ready to send my enemies.

Nice investigating, though.

The main thing to remember is that most viruses like this depend on social engineering to be effective. Possibly, Fiverr should take note of this and prevent people from uploading files when creating a buyer request.

It’s getting even scarier. Check out my new edit.

It’s scary seeing where your IP/other data goes when you click on a file from a buyer…

woah..PNG.2348c99d89a26864f534fbec1c0533ba.PNG

  • Like 1
Link to comment
Share on other sites

It’s very dangerous to make me aware of new malware. I usually download it to keep in a file ready to send my enemies.

Nice investigating, though.

The main thing to remember is that most viruses like this depend on social engineering to be effective. Possibly, Fiverr should take note of this and prevent people from uploading files when creating a buyer request.

@cyaxrex I guess this needs to be away from our eyes since we usually have three kinds of people, who get the virus, who make the virus, and who are smart enough to make the virus but do not want to waste time on that.

The last two don’t need to be informed about viruses because of obvious reasons, but the first group is kinda lost and they need this.

Me personally I fall into group 3, and I think you too, so…

  • Like 1
Link to comment
Share on other sites

@cyaxrex I guess this needs to be away from our eyes since we usually have three kinds of people, who get the virus, who make the virus, and who are smart enough to make the virus but do not want to waste time on that.

The last two don’t need to be informed about viruses because of obvious reasons, but the first group is kinda lost and they need this.

Me personally I fall into group 3, and I think you too, so…

Yeah, sorry for pinging you again.

Link to comment
Share on other sites

It’s getting even scarier. Check out my new edit.

It’s scary seeing where your IP/other data goes when you click on a file from a buyer…

woah.

It’s scary seeing where your IP/other data goes when you click on a file from a buyer

That’s nothing. I keep tabs on my neighbors CCTV and know the adult entertainment preferences of most people in my street. If we lived next door, I’d know more about you than your mother.

The last two don’t need to be informed about viruses

Everyone needs to be informed about viruses and cybersecurity. Pretty much 99% of people are walking around naked online.

That said, possibly someone could write a guide to cybersecurity as a freelancer and pitch it to the Fiverr blog as a bit of a marketing tactic. :thinking:

  • Like 2
Link to comment
Share on other sites

It’s scary seeing where your IP/other data goes when you click on a file from a buyer

That’s nothing. I keep tabs on my neighbors CCTV and know the adult entertainment preferences of most people in my street. If we lived next door, I’d know more about you than your mother.

The last two don’t need to be informed about viruses

Everyone needs to be informed about viruses and cybersecurity. Pretty much 99% of people are walking around naked online.

That said, possibly someone could write a guide to cybersecurity as a freelancer and pitch it to the Fiverr blog as a bit of a marketing tactic. :thinking:

That’s nothing. I keep tabs on my neighbors CCTV and know the adult entertainment preferences of most people in my street. If we lived next door, I’d know more about you than your mother.

Yeah, I’ve been into cybersecurity quite a while and it’s scary what can you see/learn… on there.

  • Like 1
Link to comment
Share on other sites

It’s scary seeing where your IP/other data goes when you click on a file from a buyer

That’s nothing. I keep tabs on my neighbors CCTV and know the adult entertainment preferences of most people in my street. If we lived next door, I’d know more about you than your mother.

The last two don’t need to be informed about viruses

Everyone needs to be informed about viruses and cybersecurity. Pretty much 99% of people are walking around naked online.

That said, possibly someone could write a guide to cybersecurity as a freelancer and pitch it to the Fiverr blog as a bit of a marketing tactic. :thinking:

Pretty much 99% of people are walking around naked online.

Well, I know where I am 😃

  • Like 1
Link to comment
Share on other sites

I am very paranoid about that stuff. It doesn’t help that in graphics & design nearly every BR has attachments.
Had a buyer request pop up about an hour ago in photo editing category. The request itself looked legit, but there was a text document attached. In the document there was a shortened link with something along the lines of “I want something similar to this picture I found on the internet, check it out”.
Uhuh. Not suspicious at all.
I did not investigate the link, but I’m 99% sure that in best case scenario it’s just some spam, but could be much worse.

  • Like 2
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...