Fiverr Community Forum

Woah, woah, hold up! Beware of MALWARE in Buyer requests!

Hello Fiverr community!

PLEASE READ CAREFULLY, MALWARE THREAT


Backstory

Just 5 minutes ago, I was waiting for some Buyer requests when this request came in my list

fiverr malware censored

After downloading the ZIP file, for prevention reasons, I didn’t extract it right away. ZIP was containing these files:

  • What needs doing.lnk
  • NDA.lnk

I extracted them into a secure sandbox and firstly tried to delete them. I was unable to. After that, I immediately scanned them with Bitdefender and this is what they are:

beware.


About the malware

What it does

These malware files are shortcuts that are acting like real executable files. This means that you won’t see that you ran it but it did run a script on a command prompt usually installing a ransomware/encrypter on your computer.

Read more about these malware

Details of research and related files

After researching these malware in VirusTotal, I found more information about it and files that you might stumble across on Fiverr again.

Click on this link to explore a graph with all relations of these files.


List of malicious files that you might see or have already seen:

“Freelancer.zip”

Link to detection
File hash*: c49e6926ca713a3874e02ded35b7a5c6becb6ae893026a11a670677aa457a69e

“readme.txt.Ink” (In Freelancer.zip)

Link to detection
File hash: a5c25ce54a8003f5917593f03a460ad9751e5485c249e51ba39aaace07eba87a

“xml.xml"

Link to detection

“nda.lnk" (Also known as “Bidding instructions.lnk”)

Link to detection
File hash: 36a0b667009bf16608e5122a4a3636e8bb729a7751641b8bc58b3e9eb6d24b47

“Fiverr.zip”

Link to detection
File hash: 66c6adf457a32e171404eb0400ce2229983a1572fbda4fe3c881cf43dbe97747

How to prevent from getting compromised

This would be your best option for these files. Many antiviruses (including scanners in browsers) can’t scan inside of a zip file.

In a real scenario, you would extract the zip file to see what’s inside and if you accidentally open one of those files, you might be compromised.

If something like virtual machines are too complicated for you, before extracting or executing an attachment, go to https://VirusTotal.com and scan the files. You can also copy an url of the attachment and put it in their search box. Website will scan your file/url with 50-60 antiviruses.

EDIT on 2020-06-19T22:00:00Z

@alikbaba2 Made a Thread: Virus appeared in one of buyer's request files

He downloaded another malware from buyer requests. He send me download link and this is the malware

It is in .zip file named “Attachments” - Virus total link
It contains “Extract.js” - Virus total link


Beware everybody.

15 Likes

It is not just him. From yesterday they were buyer requests for logo and link in description leads to malware website. Guess it is that time of the month for them.

4 Likes

Yeah.

These ones are problems as somebody that is not experienced would have hard time to remove them as they cannot be remover by a user (even if they’re administrator of the computer). One huge problem is that very high number of anti-malware softwares do not recognize this as a threat (check out VirusTotal link in my post.)

And even this is a first submission recorded!

First Submission 2020-06-05 12:40:37
Last Submission 2020-06-05 12:40:37
Last Analysis 2020-06-05 12:40:37
Earliest Contents Modification 2020-06-04 14:10:34
Latest Contents Modification 2020-06-04 14:10:34

Yes, I have seen it. Using internet is dangerous if you do not know what you are doing or you do not have AV who knows how to stop you.

1 Like

Also, that buyer request had 2-3 custom offers meaning that somebody got baited…

Yet another reason to only go near buyer requests if your entire freelance career is on fire.

3 Likes

Or to avoid offers that contain .zip, .rar, .7zip… files that browsers cannot really check if they’re a thread especially if they’re new!

That’s something new. Seems like a shortcut that opens PowerShell and runs a script, there are some nasty PowerShell scripts out there. As long as you don’t open anything, you should be fine.

BTW, could someone somehow send me a sample of the files? I’d like to see what exactly they do.

2 Likes

Yikes. Please report this to CS.

This is why I never open zip files and never open a file that isn’t for an existing order.

Seeing some of them also add irrelevant links. I am afraid to open those links also. Don’t know what to do!!!

Yep, viruses exist. But also, the sender may not be aware they are sending it. Often worms and Trojans will jump onto a .zip in the hope it will be sent to a new system without the person ever knowing they had it in the first place.

1 Like

Sure thing. Send me a message I will provide you all information. I can help you investigate if you need help.

I have just opened a support ticket. I will notify you all.

1 Like

Even while opening PDF files, you need to make sure Javascript is disabled. You never know when some nasty script could run in those.

2 Likes

hi,
I am new to fiverr .Thank you for updating .

2 Likes

Thanks! Let’s hope they do something. There will be a record here if they don’t.

1 Like

@cyaxrex, @marinapomorac, @wolfhowler, @humanissocial, @fibocci, @erik_keresztes

Sorry for pinging you all. I have an update. Will post here since I can’t edit my thread.

For now, no answer from Fiverr team. Will update you on that.

I have explored the graph from file detection on VirusTotal and this is real nasty. For anyone who would like to explore himself, here you go. It is 100% safe, no worries :wink: .

Seems like that Erik was right. It executes a script that later contacts with some nasty things. Here is an image of one part of it.

I have also reported this to all major browsers and seems like that all in all, antivirus detection went from 20 to 30, which is good.

Take care!

Important update:

After searching more, I found more malicious sibling files. This seems to be another one from same guy/group.

“Freelancer.zip”
Link to detection
Hash: c49e6926ca713a3874e02ded35b7a5c6becb6ae893026a11a670677aa457a69e

“readme.txt.Ink” (In Freelancer.zip)
Link to detection
Hash: a5c25ce54a8003f5917593f03a460ad9751e5485c249e51ba39aaace07eba87a

“xml.xml”
Link to detection

A microsoft thread that explains what are these doing.

4 Likes

It’s very dangerous to make me aware of new malware. I usually download it to keep in a file ready to send my enemies.

Nice investigating, though.

The main thing to remember is that most viruses like this depend on social engineering to be effective. Possibly, Fiverr should take note of this and prevent people from uploading files when creating a buyer request.

1 Like

It’s getting even scarier. Check out my new edit.

It’s scary seeing where your IP/other data goes when you click on a file from a buyer…

woah.

1 Like

@cyaxrex I guess this needs to be away from our eyes since we usually have three kinds of people, who get the virus, who make the virus, and who are smart enough to make the virus but do not want to waste time on that.

The last two don’t need to be informed about viruses because of obvious reasons, but the first group is kinda lost and they need this.

Me personally I fall into group 3, and I think you too, so…

1 Like