Celebrity's "Final Words" Fake Video Leads to PUP

Celebrity’s “Final Words” Fake Video Leads to PUP

Exactly a week ago, Raphael Joseph De Mesa Eigenmann, a Filipino actor famously known as Mark Gil, died of cancer, and Facebook scammers have used a so-called video of his last words to perpetuate unwanted applications.

If you see the below post appear on your Facebook feed, whether it came from an acquaintance, a close friend, or a relative, we urge you to ignore it by not clicking the link and privately message your contact to run an antivirus scan on their machine.


Must Watch! What they did after will shock you!

Mark Gil Last Statement Before He Died – Revealed

Content Warning: This Video Footage Contains Scenes That Some Viewers May Find Disturbing

Here are some points to take note of: One, the headline and description of the supposed news clip resonates of click-baiting, a method used by several online businesses to encourage clicks from users that eventually lead to revenue. It’s widely used by popular sites today yet commonly frowned upon; however, it’s also one the bad guys aren’t shy about using.

Two, the URL purporting to be the source of the news is from a fake GMA Network website. The two combined makes an effective campaign against its intended target. At times like this, familiarity can be a friend.

Once users click the link in an attempt to view the fake video, they are taken to the website below:

A scandal

click to enlarge

From a “report” related to death to something suddenly about a sex video scandal, at this point, users may be confused if not more compelled to click the “Play” button. Doing so pops up a tiny box on the middle of the screen, encouraging users to “Share” the video.

Whether the user does this or not, they are then redirected to the site below where they can download VideoPerformerSetup.exe, which we have determined to be a potentially unwanted program (PUP). We have retrieved two samples of the said file and detect them both as PUP.Optional.InstallBrain.A.

The VideoPerformerSetup.exe download

click to enlarge

This isn’t the first time scammers have jumped into the bandwagon of a local hoopla involving TV personalities. Several years ago, malware proponents had used a live, swimsuit slip-up incident of Filipino-Australian actress Anne Curtis Smith to install fake AV onto systems of Internet users who’re too curious to resist watching the video related to it.

Dear Reader, please take care on what you click. More importantly, make sure that you know / bookmark official news site URLs and frequent them to make you more aware and able to pick out the fake from the real ones.

Below are hash values of the samples we’ve retrieved:

  • SHA256: 0af5a2666fb64b0e31e454e9d289126f45ce976bef6761a5dcc153daf869e648
  • SHA256: daf6b525ad349d4490377a512bd2426d69609b5378f857bf9f8bbbd5002347ff

Jovi Umawing


Jovi Umawing

Knows a bit about everything and a lot about several somethings. Writes about those somethings, usually in long-form.