In a surprising twist of digital irony, researchers have uncovered a sophisticated operation that preys on aspiring OnlyFans hackers as victims, demonstrating a ruthless cybercrime ecosystem which sometimes cannibalizes upon itself.
The hacking tool had been distributed as an OnlyFans ‘checker’ tool, checker tools offer the ability to test the validity of stolen credentials en masse. However, this tool was laced with the Lummac Stealer malware.
OnlyFans Checker and Lummac Stealer
The OnlyFans checker tool claims to allow cybercriminals the capability to validate stolen username/password combinations, check account balances, verify if accounts have payment methods attached, and determine if accounts have creator privileges. However, as the investigation from Veriti’s research team reveals, sometimes these tools function as Trojan horses wih the aim of targeting cybercriminals who download and seek to use them.
The researchers note that Lummac Stealer, also known as LummaC2 Stealer, is not a typical run-of-the-mill malware. The malware had first emerged in August 2022, and had been developed by the threat actor ‘Shamel’/ ‘Lumma,’ and shared to the wider cybercriminal audience under a Malware-as-a-Service (MaaS) model.
The technical sophistication in the malware’s operation, primary targets, and advanced loader capabilities make it an advanced malware threat with the capability to adapt and evolve its attack tactics through the operation.
The researchers further noted that the threat actor, ‘Bilalkhanicom’, has launched parallel campaigns targeting cybercriminals that aim to crack Disney+ accounts, Instagram hackers, and even botnet wranglers. The distributed executables for these campaigns aim to flip the script on unsuspecting criminals.
Upon execution, the hidden malware links to a GitHub account operating with the username ‘UserBesty,’ that had been created only days ago. The Github account was observed serving as a repository for various additional malicious payloads.
One of these payloads ‘brtjgjsefd.exe,’ is designed to deeply embed itself within the target’s system system environment to create exclusions against security detection tools, making it even harder to detect and neutralize.
Geopolitical Enigma
In a final twist, the researchers discovered multiple potential geopolitical links deeply hidden within the malware’s architecture, with its folder names indicating East Asian, African, Celtic, and Indigenous Latin American roots:
- ‘Hiyang’ and ‘Reyung suggest East Asian connections
- ‘Zuka’ suggest African influences
- ‘Lir’ suggests Celtic mythology
- Popisaya’ suggests Indigenous Latin American roots
The researchers were also able to trace the malware’s operational communication activities to several newly registered .shop domains with each one having a high detection rate. Domains such as caffegclasiqwp(.)shop and ponintnykqwm(.)shop, served as reliable command-and-control (C2) servers to orchestrate the malware’s activities.
The researchers note this campaign as an act of ingenious cyber-deception that demonstrates that everyone, even cybercriminals need to maintain active cybersecurity measures.