A fake OnlyFans tool, which claims to assist in account theft, is being used by hackers to target other hackers. Instead, threat actors are infected with the Lumma stealer malware, which steals information.
The operation was found by Veriti Research and is a prime illustration of how difficult it is to distinguish between predator and victim in the realm of cybercrime, where backstabbing and ironic turns abound.
“Checking” into a Lumma infection
On the hugely successful adult content subscription site OnlyFans, creators can make money from consumers (called “fans”) who pay to access their work.
Subscribers pay a one-time or recurring subscription for access to unique content, and creators can share with them photographs, videos, messages, and live streams.
Because OnlyFans accounts are so popular, threat actors frequently target them in an effort to steal fan money, demand ransom payments from the account owner, or just release private images.
Large sets of stolen login credentials, including usernames and passwords, can be validated with the use of a checker tool, which determines whether the login information still works and if it matches any OnlyFans accounts.
Cybercriminals would have to manually test thousands of credential pairs without those tools, which would be a laborious and impossible procedure that would make the plan unworkable.
But because other cybercriminals frequently design similar tools, hackers come to believe that they are safe to employ, which can sometimes backfire.
A case involving an OnlyFans checker that installed the Lumma information-stealing malware instead of fulfilling its promises to verify credentials, check account balances, validate payment methods, and determine author rights was found by Veriti.
The payload, “brtjgjsefd.exe,” is installed into the victim’s PC after being retrieved from a GitHub repository. Since 2022, hackers have been renting Lumma, an information-stealing malware-as-a-service (MaaS), for $250–$1000 per month. Lumma is delivered through a variety of channels, such as malvertising, YouTube comments, torrents, and, more recently, GitHub comments.
This advanced data stealer has creative evasion techniques and the capacity to renew Google session tokens that have expired. It is most often recognized for collecting credit card numbers, passwords, cryptocurrency wallets, and two-factor authentication codes that are saved on a victim’s file system and browser.
In addition to being a loader, Lumma can also run PowerShell scripts and inject more payloads to the compromised machine.
A broader deception operation
Veriti discovered that the Lumma Stealer payload connects to a GitHub account with the username “UserBesty,” which is used by the campaign’s cybercriminal to host other malicious payloads.
In particular, the executables in the GitHub repository resemble checkers for Instagram, Disney+ accounts, and a purported Mirai botnet builder:
- Disney+ account thieves are targeted with “DisneyChecker.exe”
- Instagram hackers are lured by “InstaCheck.exe”
- Wannabe botnet creators are lured with “ccMirai.exe”
After delving further into the malware’s communications, the researchers at Veriti discovered a collection of “.shop” domains that served as C2 (command and control) servers, giving Lumma instructions and accepting the data that had been stolen.
Threat actors have already used this campaign as one of their targeted attacks for other hackers. In order to acquire bitcoin, hackers used clipboard stealers that were posing as hacked RATs and malware-building tools against other hackers in March 2022.
Later on in the year, a malware creator used a backdoor in their own program to acquire bitcoin wallets, VPN account information, and credentials from other hackers.
Also read: Strengthening the prospects of data center industry with quality air solutions
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.