Hacker trap: Fake OnlyFans tool undermines crooks and obtains passwords

Hackers are targeting other hackers with a bogus OnlyFans program that purports to help steal accounts but instead infects threat actors with the Lumma stealer information-stealing malware.

The operation, found by Veriti Research, is a prime example of the blurred borders between predator and prey in the realm of cybercrime, where ironic twists and backstabs are common.

"Checking" into a Lumma infection

OnlyFans is a prominent subscription-based adult entertainment platform that allows authors to make money from users (known as "fans") who pay for access to their content.

Creators can share films, photographs, messages, and live broadcasts with their members, who pay a monthly fee or a one-time payment for unique material.

Because of their popularity, OnlyFans accounts are frequently targeted by threat actors who seek to hijack them in order to steal fan donations, coerce the account owner into paying a ransom, or simply leak private images.

Checker tools are intended to help validate massive sets of stolen login credentials (usernames and passwords) by determining whether the login information matches any OnlyFans accounts and whether it is still valid.

Without those tools, fraudsters would have to manually test thousands of credential pairs, which would be unfeasible and time-consuming, rendering the technique ineffective.

However, because these tools are frequently designed by other cybercriminals, hackers believe they are safe to use, which might backfire.

Veriti uncovered an instance in which an OnlyFans checker claimed to verify credentials, account balances, payment methods, and creator privileges but instead installed the Lumma information-stealing virus.

The payload, entitled "brtjgjsefd.exe," is downloaded from a GitHub repository and executed on the victim's machine.

Lumma is an information-stealing malware-as-a-service (MaaS) that has been rented by cybercriminals since 2022 for $250-$1000 per month and disseminated through a variety of channels, including malvertising, YouTube comments, torrents, and, more recently, GitHub comments.

It is a sophisticated information stealer with novel evasion strategies and the capacity to recover expired Google session tokens. It is well known for obtaining two-factor authentication codes, cryptocurrency wallets, passwords, cookies, and credit card information from a victim's browser and file system.

Lumma also functions as a loader, able to inject additional payloads into the compromised system and run PowerShell scripts.

A larger deception effort

Veriti discovered that when the Lumma Stealer payload is deployed, it connects to a GitHub account called "UserBesty," which the cybercriminal behind this campaign uses to host further malicious payloads.

Specifically, the GitHub repository contains executables that resemble checkers for Disney+ accounts, Instagram, and an alleged Mirai botnet builder:

• Disney+ account thieves are targeted with "DisneyChecker.exe".
• Instagram hackers are attracted by "InstaCheck.exe"
• Wannabe botnet builders are enticed with "ccMirai.exe".

Veriti's researchers discovered a network of ".shop" domains that served as command and control (C2) servers for the malware, giving commands to Lumma and receiving exfiltrated data.

This isn't the first time threat actors have targeted other hackers in hostile attacks.

In March 2022, hackers used clipboard stealers disguised as hacked RATs and malware-building tools to steal cryptocurrency.

Later that year, a malware developer backdoored their own code to steal credentials, bitcoin wallets, and VPN account information from other hackers.

Source: BleepingComputer