Woah, woah, hold up! Beware of MALWARE in Buyer requests!

[vepthy]

Like having a Windows 10 VM for these (and anything else that involves sharing your data, even games) and Linux for everything else.

To be honest, that’s not really the right approach. If I wanted to be safe as someone who uses something like Photoshop for work and I only had 1 PC, I’d download files normally, but put them through a virus scanner in a VM, before (if they were safe) getting work done in my regular PC environment.

Using apps like Photoshop in a VM is tricky unless you have lots of spare CPU power and RAM you can devote to a VM.

You also need to differentiate between Internet privacy and security. Playing games in a VM probably won’t work to well and will not protect your privacy at all. However, it will increase your overall workstation security.

If you are a complete novice when it comes to cybersecurity, it might be best to just enable S mode in Windows 10 and do what I said about opening and scanning attachments in a VM. You can also set your firewall to block all incoming requests and only use a guest account on your device to improve security.

Those steps alone will prevent you from falling victim to the majority of virus and hacking attempts.

Hello Fiverr community!

PLEASE READ CAREFULLY, MALWARE THREAT

---

Backstory

Just 5 minutes ago, I was waiting for some Buyer requests when this request came in my list

After downloading the ZIP file, for prevention reasons, I didn’t extract it right away. ZIP was containing these files:

• What needs doing.lnk
• NDA.lnk

I extracted them into a secure sandbox and firstly tried to delete them. I was unable to. After that, I immediately scanned them with Bitdefender and this is what they are:

---

About the malware

What it does

These malware files are shortcuts that are acting like real executable files. This means that you won’t see that you ran it but it did run a script on a command prompt usually installing a ransomware/encrypter on your computer.

Read more about these malware

Details of research and related files

After researching these malware in VirusTotal, I found more information about it and files that you might stumble across on Fiverr again.

Click on this link to explore a graph with all relations of these files.

---

List of malicious files that you might see or have already seen:

“Freelancer.zip”

Link to detection

File hash*: c49e6926ca713a3874e02ded35b7a5c6becb6ae893026a11a670677aa457a69e

“readme.txt.Ink” (In Freelancer.zip)

Link to detection

File hash: a5c25ce54a8003f5917593f03a460ad9751e5485c249e51ba39aaace07eba87a

“xml.xml"

Link to detection

“nda.lnk" (Also known as “Bidding instructions.lnk”)

Link to detection

File hash: 36a0b667009bf16608e5122a4a3636e8bb729a7751641b8bc58b3e9eb6d24b47

“Fiverr.zip”

Link to detection

File hash: 66c6adf457a32e171404eb0400ce2229983a1572fbda4fe3c881cf43dbe97747

How to prevent from getting compromised

If you are a complete novice when it comes to cybersecurity, it might be best to just enable S mode in Windows 10 and do what I said about opening and scanning attachments in a VM. You can also set your firewall to block all incoming requests and only use a guest account on your device to improve security.

This would be your best option for these files. Many antiviruses (including scanners in browsers) can’t scan inside of a zip file.

In a real scenario, you would extract the zip file to see what’s inside and if you accidentally open one of those files, you might be compromised.

If something like virtual machines are too complicated for you, before extracting or executing an attachment, go to https://VirusTotal.com and scan the files. You can also copy an url of the attachment and put it in their search box. Website will scan your file/url with 50-60 antiviruses.

EDIT on 2020-06-19T22:00:00Z

@alikbaba2 Made a Thread: Virus appeared in one of buyer's request files

He downloaded another malware from buyer requests. He send me download link and this is the malware

It is in .zip file named “Attachments” - Virus total link

It contains “Extract.js” - Virus total link

---

Beware everybody.

[marinapomorac]

It is not just him. From yesterday they were buyer requests for logo and link in description leads to malware website. Guess it is that time of the month for them.

[vepthy]

It is not just him. From yesterday they were buyer requests for logo and link in description leads to malware website. Guess it is that time of the month for them.

Yeah.

These ones are problems as somebody that is not experienced would have hard time to remove them as they cannot be remover by a user (even if they’re administrator of the computer). One huge problem is that very high number of anti-malware softwares do not recognize this as a threat (check out VirusTotal link in my post.)

And even this is a first submission recorded!

First Submission	2020-06-05 12:40:37
Last Submission	2020-06-05 12:40:37
Last Analysis	2020-06-05 12:40:37
Earliest Contents Modification	2020-06-04 14:10:34
Latest Contents Modification	2020-06-04 14:10:34

[marinapomorac]

Yeah.

These ones are problems as somebody that is not experienced would have hard time to remove them as they cannot be remover by a user (even if they’re administrator of the computer). One huge problem is that very high number of anti-malware softwares do not recognize this as a threat (check out VirusTotal link in my post.)

And even this is a first submission recorded!

First Submission	2020-06-05 12:40:37
Last Submission	2020-06-05 12:40:37
Last Analysis	2020-06-05 12:40:37
Earliest Contents Modification	2020-06-04 14:10:34
Latest Contents Modification	2020-06-04 14:10:34

Yes, I have seen it. Using internet is dangerous if you do not know what you are doing or you do not have AV who knows how to stop you.

[vepthy]

Yes, I have seen it. Using internet is dangerous if you do not know what you are doing or you do not have AV who knows how to stop you.

Also, that buyer request had 2-3 custom offers meaning that somebody got baited…

[cyaxrex]

Yet another reason to only go near buyer requests if your entire freelance career is on fire.

[vepthy]

Yet another reason to only go near buyer requests if your entire freelance career is on fire.

Or to avoid offers that contain .zip, .rar, .7zip… files that browsers cannot really check if they’re a thread especially if they’re new!

[erik_keresztes]

That’s something new. Seems like a shortcut that opens PowerShell and runs a script, there are some nasty PowerShell scripts out there. As long as you don’t open anything, you should be fine.

BTW, could someone somehow send me a sample of the files? I’d like to see what exactly they do.

[humanissocial]

Yikes. Please report this to CS.

This is why I never open zip files and never open a file that isn’t for an existing order.

[anamikanim]

Yeah.

These ones are problems as somebody that is not experienced would have hard time to remove them as they cannot be remover by a user (even if they’re administrator of the computer). One huge problem is that very high number of anti-malware softwares do not recognize this as a threat (check out VirusTotal link in my post.)

And even this is a first submission recorded!

First Submission	2020-06-05 12:40:37
Last Submission	2020-06-05 12:40:37
Last Analysis	2020-06-05 12:40:37
Earliest Contents Modification	2020-06-04 14:10:34
Latest Contents Modification	2020-06-04 14:10:34

Seeing some of them also add irrelevant links. I am afraid to open those links also. Don’t know what to do!!!

[wolfhowler]

Yep, viruses exist. But also, the sender may not be aware they are sending it. Often worms and Trojans will jump onto a .zip in the hope it will be sent to a new system without the person ever knowing they had it in the first place.

[vepthy]

That’s something new. Seems like a shortcut that opens PowerShell and runs a script, there are some nasty PowerShell scripts out there. As long as you don’t open anything, you should be fine.

BTW, could someone somehow send me a sample of the files? I’d like to see what exactly they do.

Sure thing. Send me a message I will provide you all information. I can help you investigate if you need help.

[vepthy]

Hello Fiverr community!

PLEASE READ CAREFULLY, MALWARE THREAT

---

Backstory

Just 5 minutes ago, I was waiting for some Buyer requests when this request came in my list

After downloading the ZIP file, for prevention reasons, I didn’t extract it right away. ZIP was containing these files:

• What needs doing.lnk
• NDA.lnk

I extracted them into a secure sandbox and firstly tried to delete them. I was unable to. After that, I immediately scanned them with Bitdefender and this is what they are:

---

About the malware

What it does

These malware files are shortcuts that are acting like real executable files. This means that you won’t see that you ran it but it did run a script on a command prompt usually installing a ransomware/encrypter on your computer.

Read more about these malware

Details of research and related files

After researching these malware in VirusTotal, I found more information about it and files that you might stumble across on Fiverr again.

Click on this link to explore a graph with all relations of these files.

---

List of malicious files that you might see or have already seen:

“Freelancer.zip”

Link to detection

File hash*: c49e6926ca713a3874e02ded35b7a5c6becb6ae893026a11a670677aa457a69e

“readme.txt.Ink” (In Freelancer.zip)

Link to detection

File hash: a5c25ce54a8003f5917593f03a460ad9751e5485c249e51ba39aaace07eba87a

“xml.xml"

Link to detection

“nda.lnk" (Also known as “Bidding instructions.lnk”)

Link to detection

File hash: 36a0b667009bf16608e5122a4a3636e8bb729a7751641b8bc58b3e9eb6d24b47

“Fiverr.zip”

Link to detection

File hash: 66c6adf457a32e171404eb0400ce2229983a1572fbda4fe3c881cf43dbe97747

How to prevent from getting compromised

If you are a complete novice when it comes to cybersecurity, it might be best to just enable S mode in Windows 10 and do what I said about opening and scanning attachments in a VM. You can also set your firewall to block all incoming requests and only use a guest account on your device to improve security.

This would be your best option for these files. Many antiviruses (including scanners in browsers) can’t scan inside of a zip file.

In a real scenario, you would extract the zip file to see what’s inside and if you accidentally open one of those files, you might be compromised.

If something like virtual machines are too complicated for you, before extracting or executing an attachment, go to https://VirusTotal.com and scan the files. You can also copy an url of the attachment and put it in their search box. Website will scan your file/url with 50-60 antiviruses.

EDIT on 2020-06-19T22:00:00Z

@alikbaba2 Made a Thread: Virus appeared in one of buyer's request files

He downloaded another malware from buyer requests. He send me download link and this is the malware

It is in .zip file named “Attachments” - Virus total link

It contains “Extract.js” - Virus total link

---

Beware everybody.

This is file hash: 66c6adf457a32e171404eb0400ce2229983a1572fbda4fe3c881cf43dbe97747

I have just opened a support ticket. I will notify you all.

[Guest fibocci]

Even while opening PDF files, you need to make sure Javascript is disabled. You never know when some nasty script could run in those.

[e_hand]

hi,
I am new to fiverr .Thank you for updating .

[humanissocial]

This is file hash: 66c6adf457a32e171404eb0400ce2229983a1572fbda4fe3c881cf43dbe97747

I have just opened a support ticket. I will notify you all.

Thanks! Let’s hope they do something. There will be a record here if they don’t.

[vepthy]

@cyaxrex, @marinapomorac, @wolfhowler, @humanissocial, @fibocci, @erik_keresztes

Sorry for pinging you all. I have an update. Will post here since I can’t edit my thread.

For now, no answer from Fiverr team. Will update you on that.

I have explored the graph from file detection on VirusTotal and this is real nasty. For anyone who would like to explore himself, here you go. It is 100% safe, no worries 😉 .

Seems like that Erik was right. It executes a script that later contacts with some nasty things. Here is an image of one part of it.

graph919×464 44.4 KB

I have also reported this to all major browsers and seems like that all in all, antivirus detection went from 20 to 30, which is good.

Take care!

Important update:

After searching more, I found more malicious sibling files. This seems to be another one from same guy/group.

“Freelancer.zip”
Link to detection
Hash: c49e6926ca713a3874e02ded35b7a5c6becb6ae893026a11a670677aa457a69e

“readme.txt.Ink” (In Freelancer.zip)
Link to detection
Hash: a5c25ce54a8003f5917593f03a460ad9751e5485c249e51ba39aaace07eba87a

“xml.xml”
Link to detection

A microsoft thread that explains what are these doing.

[cyaxrex]

It’s very dangerous to make me aware of new malware. I usually download it to keep in a file ready to send my enemies.

Nice investigating, though.

The main thing to remember is that most viruses like this depend on social engineering to be effective. Possibly, Fiverr should take note of this and prevent people from uploading files when creating a buyer request.

[vepthy]

It’s very dangerous to make me aware of new malware. I usually download it to keep in a file ready to send my enemies.

Nice investigating, though.

The main thing to remember is that most viruses like this depend on social engineering to be effective. Possibly, Fiverr should take note of this and prevent people from uploading files when creating a buyer request.

It’s getting even scarier. Check out my new edit.

It’s scary seeing where your IP/other data goes when you click on a file from a buyer…

[marinapomorac]

It’s very dangerous to make me aware of new malware. I usually download it to keep in a file ready to send my enemies.

Nice investigating, though.

The main thing to remember is that most viruses like this depend on social engineering to be effective. Possibly, Fiverr should take note of this and prevent people from uploading files when creating a buyer request.

@cyaxrex I guess this needs to be away from our eyes since we usually have three kinds of people, who get the virus, who make the virus, and who are smart enough to make the virus but do not want to waste time on that.

The last two don’t need to be informed about viruses because of obvious reasons, but the first group is kinda lost and they need this.

Me personally I fall into group 3, and I think you too, so…

[vepthy]

@cyaxrex I guess this needs to be away from our eyes since we usually have three kinds of people, who get the virus, who make the virus, and who are smart enough to make the virus but do not want to waste time on that.

The last two don’t need to be informed about viruses because of obvious reasons, but the first group is kinda lost and they need this.

Me personally I fall into group 3, and I think you too, so…

Yeah, sorry for pinging you again.

[cyaxrex]

It’s getting even scarier. Check out my new edit.

It’s scary seeing where your IP/other data goes when you click on a file from a buyer…

It’s scary seeing where your IP/other data goes when you click on a file from a buyer

That’s nothing. I keep tabs on my neighbors CCTV and know the adult entertainment preferences of most people in my street. If we lived next door, I’d know more about you than your mother.

The last two don’t need to be informed about viruses

Everyone needs to be informed about viruses and cybersecurity. Pretty much 99% of people are walking around naked online.

That said, possibly someone could write a guide to cybersecurity as a freelancer and pitch it to the Fiverr blog as a bit of a marketing tactic. :thinking:

[vepthy]

It’s scary seeing where your IP/other data goes when you click on a file from a buyer

That’s nothing. I keep tabs on my neighbors CCTV and know the adult entertainment preferences of most people in my street. If we lived next door, I’d know more about you than your mother.

The last two don’t need to be informed about viruses

Everyone needs to be informed about viruses and cybersecurity. Pretty much 99% of people are walking around naked online.

That said, possibly someone could write a guide to cybersecurity as a freelancer and pitch it to the Fiverr blog as a bit of a marketing tactic. :thinking:

That’s nothing. I keep tabs on my neighbors CCTV and know the adult entertainment preferences of most people in my street. If we lived next door, I’d know more about you than your mother.

Yeah, I’ve been into cybersecurity quite a while and it’s scary what can you see/learn… on there.

[marinapomorac]

It’s scary seeing where your IP/other data goes when you click on a file from a buyer

That’s nothing. I keep tabs on my neighbors CCTV and know the adult entertainment preferences of most people in my street. If we lived next door, I’d know more about you than your mother.

The last two don’t need to be informed about viruses

Everyone needs to be informed about viruses and cybersecurity. Pretty much 99% of people are walking around naked online.

That said, possibly someone could write a guide to cybersecurity as a freelancer and pitch it to the Fiverr blog as a bit of a marketing tactic. :thinking:

Pretty much 99% of people are walking around naked online.

Well, I know where I am 😃

[alyonagrapie]

I am very paranoid about that stuff. It doesn’t help that in graphics & design nearly every BR has attachments.
Had a buyer request pop up about an hour ago in photo editing category. The request itself looked legit, but there was a text document attached. In the document there was a shortened link with something along the lines of “I want something similar to this picture I found on the internet, check it out”.
Uhuh. Not suspicious at all.
I did not investigate the link, but I’m 99% sure that in best case scenario it’s just some spam, but could be much worse.