Hackers are concentrating on different hackers with a pretend OnlyFans software that claims to assist steal accounts however as an alternative infects menace actors with the Lumma stealer information-stealing malware.
The operation, found by Veriti Analysis, constitutes a attribute instance of the blurred traces between being a predator or prey on this planet of cybercrime, the place ironic twists and backstabs are considerable.
“Checking” right into a Lumma an infection
OnlyFans is an especially well-liked subscription-based grownup content material platform the place creators can earn cash from customers (known as “fans”) who pay for entry to their content material.
Creators can share movies, photographs, messages, and stay streams with their subscribers, whereas subscribers pay a recurring price or one-time funds for unique content material.
Given its recognition, OnlyFans accounts usually grow to be targets of menace actors who try to hijack them to steal fan funds, extort the account proprietor to pay a ransom, or just leak non-public images.
Checker instruments are designed to assist validate massive units of stolen login credentials (usernames and passwords), checking if the login particulars match any OnlyFans accounts and whether or not they’re nonetheless legitimate.
With out these instruments, cybercriminals must manually check out hundreds of credential pairs, an impractical and tedious course of that may render the scheme nonviable.
Nonetheless, these instruments are generally created by different cybercriminals, inflicting hackers to belief that they’re protected to make use of, and in some instances, this backfires.
Veriti found a case of an OnlyFans checker promising to confirm credentials, examine account balances, confirm fee strategies, and decide creator privileges however as an alternative put in the Lumma information-stealing malware.
Supply: Veriti
The payload, named “brtjgjsefd.exe,” is fetched from a GitHub repository and loaded into the sufferer’s pc.
Lumma is an information-stealing malware-as-a-service (MaaS) that has been rented to cybercriminals since 2022 for $250-$1000/month and distributed by way of varied means, together with malvertising, YouTube feedback, torrents, and, extra not too long ago, GitHub feedback.
It’s a sophisticated data stealer with progressive evasion mechanisms and the power to restore expired Google session tokens. It’s largely identified for stealing two-factor authentication codes, cryptocurrency wallets, and passwords, cookies, and bank cards saved on a sufferer’s browser and file system.
Lumma additionally doubles as a loader itself, able to introducing further payloads onto the compromised system and executing PowerShell scripts.
A broader deception operation
Veriti discovered that when the Lumma Stealer payload is launched, it is going to hook up with a GitHub account below the identify “UserBesty,” which the cybercriminal behind this marketing campaign makes use of to host different malicious payloads.
Supply: Veriti
Particularly, the GitHub repository comprises executables that resemble checkers for Disney+ accounts, Instagram, and a supposed Mirai botnet builder:
- Disney+ account thieves are focused with “DisneyChecker.exe”
- Instagram hackers are lured by “InstaCheck.exe”
- Wannabe botnet creators are lured with “ccMirai.exe”
Digging deeper into the malware’s communications, Veriti’s researchers discovered a set of “.shop” domains that acted as command and management (C2) servers, sending instructions to Lumma and receiving the exfiltrated information.
This marketing campaign will not be the primary time menace actors have focused different cybercriminals in malicious assaults.
In March 2022, hackers focused hackers with clipboard stealers disguised as cracked RATs and malware-building instruments to steal cryptocurrency.
Later that 12 months, a malware developer backdoored their very own malware to steal credentials, cryptocurrency wallets, and VPN account information from different hackers.
