Hackers are targeting other hackers with a phony OnlyFans tool that declares to assist take accounts however rather contaminates hazard stars with the Lumma thief information-stealing malware.
The operation, found by Veriti Research, makes up a particular example of the blurred lines in between being a predator or victim worldwide of cybercrime, where paradoxical twists and backstabs are plentiful.
“Checking” into a Lumma infection
OnlyFans is an incredibly popular subscription-based adult material platform where developers can generate income from users (described as “fans”) who spend for access to their material.
Developers can share videos, images, messages, and live streams with their customers, while customers pay a repeating charge or one-time payments for unique material.
Offered its appeal, OnlyFans accounts typically end up being targets of hazard stars who try to pirate them to take fan payments, obtain the account owner to pay a ransom, or just leakage personal images.
Checker tools are developed to assist confirm big sets of taken login qualifications (usernames and passwords), inspecting if the login information match any OnlyFans accounts and whether they're still legitimate.
Without those tools, cybercriminals would need to by hand check out countless credential sets, a not practical and laborious procedure that would render the plan nonviable.
These tools are typically developed by other cybercriminals, triggering hackers to rely on that they are safe to utilize, and in some cases, this backfires.
Veriti found a case of an OnlyFans checker assuring to validate qualifications, examine account balances, confirm payment techniques, and figure out developer advantages however rather set up the Lumma information-stealing malware.
Risk star's checker advertisement on a hacker online forum
Source: Veriti
The payload, called “brtjgjsefd.exe,” is brought from a GitHub repository and packed into the victim's computer system.
Lumma is an information-stealing malware-as-a-service (MaaS) that has actually been leased to cybercriminals because 2022 for $250-$1000/month and dispersed through numerous ways, consisting of malvertising, YouTube remarks, gushes, and, more just recently, GitHub remarks.
It is an innovative info thief with ingenious evasion systems and the capability to bring back ended Google session tokens. It is primarily understood for taking two-factor authentication codes, cryptocurrency wallets, and passwords, cookies, and charge card kept on a victim's internet browser and file system.
Lumma likewise functions as a loader itself, efficient in presenting extra payloads onto the jeopardized system and carrying out PowerShell scripts.
A wider deceptiveness operation
Veriti discovered that when the Lumma Stealer payload is released, it will link to a GitHub account under the name “UserBesty,” which the cybercriminal behind this project utilizes to host other destructive payloads.
Destructive GitHub repository
Source: Veriti
Particularly, the GitHub repository includes executables that look like checkers for Disney+ accounts, Instagram, and an expected Mirai botnet contractor:
- Disney+ account burglars are targeted with “DisneyChecker.exe”
- Instagram hackers are enticed by “InstaCheck.exe”
- Wannabe botnet developers are enticed with “ccMirai.exe”
Digging much deeper into the malware's interactions,
