Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Veriti researchers warn of a malicious campaign targeting representatives of the cyber underground with the help of a fake infostealing OnlyFans, which allegedly steals accounts in the network of the same name, but in fact infects its Lumma Stealer operators.
Given the popularity of OnlyFans and its characteristic content, users of the resource often become the targets of attacks that are aimed at stealing, stealing an account followed by extorting a ransom or leaking private content.
The promoted tool is designed to check large sets of credits, checking their relevance and usability to log in to the OnlyFans account.
Veriti discovered how a similar utility for OnlyFans was allegedly intended to check registration data, account balances, payment methods, and determine creator privileges, but instead delivered Lumma, available from 2022 for $250-1000. per month within MaaS.
This is a fairly advanced infosteal with innovative evasion mechanisms and loader functionality capable of injecting additional payloads into the compromised system and executing PowerShell scripts.
The payload, called brtjgjsefd.exe, is retrieved from the GitHub repository and downloaded to the victim's computer.
When the Lumma Stealer malware is executed, a connection to a GitHub account named UserBesty is realized, which the cybercriminal uses to host other malicious payloads.
After examining the malware's communications in more detail, Veriti researchers discovered a set of .shop domains that acted as C2 servers, sending Lumma commands and receiving the extracted data.
Usually, the tools developed by cybercriminals for the cyber underground are trusted by interested parties, but, as practice shows, in some cases this has the opposite effect.
Given the popularity of OnlyFans and its characteristic content, users of the resource often become the targets of attacks that are aimed at stealing, stealing an account followed by extorting a ransom or leaking private content.
The promoted tool is designed to check large sets of credits, checking their relevance and usability to log in to the OnlyFans account.
Veriti discovered how a similar utility for OnlyFans was allegedly intended to check registration data, account balances, payment methods, and determine creator privileges, but instead delivered Lumma, available from 2022 for $250-1000. per month within MaaS.
This is a fairly advanced infosteal with innovative evasion mechanisms and loader functionality capable of injecting additional payloads into the compromised system and executing PowerShell scripts.
The payload, called brtjgjsefd.exe, is retrieved from the GitHub repository and downloaded to the victim's computer.
When the Lumma Stealer malware is executed, a connection to a GitHub account named UserBesty is realized, which the cybercriminal uses to host other malicious payloads.
After examining the malware's communications in more detail, Veriti researchers discovered a set of .shop domains that acted as C2 servers, sending Lumma commands and receiving the extracted data.
Usually, the tools developed by cybercriminals for the cyber underground are trusted by interested parties, but, as practice shows, in some cases this has the opposite effect.
