OnlyFun | |
Type of Malware | Dropper |
Date of Initial Activity | 2024 |
Motivation | Data Theft |
Attack Vectors | Phishing |
Type of Information Stolen | Login Credentials |
Targeted Systems | Windows |
Overview
In the ever-evolving world of cybercrime, the lines between predator and prey are often blurred. A recent investigation by Veriti Research sheds light on a chilling twist in the hacker ecosystem, where a campaign targeting OnlyFans users has turned the tables, exposing how cybercriminals can unknowingly fall victim to their own malicious tools. The campaign, cleverly named OnlyFun, has ensnared a number of would-be hackers, who were tricked into infecting themselves with malware while attempting to exploit stolen OnlyFans credentials.
The scheme, which began on a popular hacking forum, saw a user named “Bilalkhanicom” offering a seemingly innocuous tool designed to “check” the validity of stolen OnlyFans accounts. In the eyes of many cybercriminals, this tool was a golden opportunity to make quick profit by verifying the worth of hacked accounts. However, unbeknownst to these hackers, the tool was actually a sophisticated delivery mechanism for malware, which ultimately infected both innocent users and aspiring cybercriminals.
Targets
Individuals
How they operate
The OnlyFun malware campaign, which has ensnared both unsuspecting victims and cybercriminals alike, hinges on a sophisticated piece of malware known as Lummac Stealer. Initially presented as a tool for verifying the validity of stolen OnlyFans accounts, the malware cleverly camouflages its true intent, offering an easy entry point for cybercriminals looking to exploit compromised credentials. However, once activated, Lummac Stealer reveals its true nature—an insidious and highly capable threat that operates on multiple levels, collecting sensitive data and propagating itself to unsuspecting users.
Lummac Stealer, first seen in August 2022, is an advanced form of malware that employs an efficient and hard-to-detect coding framework. Written in the C programming language, the malware is designed to be both lightweight and stealthy, making it a formidable adversary for cybersecurity professionals. Unlike many simpler strains of malware, Lummac operates with a high degree of technical sophistication, incorporating various methods to evade detection and ensure the successful exfiltration of stolen data. Its ability to target sensitive information across multiple systems, including cryptocurrency wallets and two-factor authentication (2FA) extensions, sets it apart as a significant threat in the cybercrime ecosystem.
Once the malware is executed, it connects to a Command and Control (C2) server disguised with the user agent “TeslaBrowser/5.5,” ensuring that the communication between the infected machine and the attacker’s server goes unnoticed. Lummac Stealer is capable of exfiltrating a wide array of information, ranging from login credentials and financial data to sensitive system configurations. Additionally, it is equipped with advanced loader capabilities, allowing it to deploy additional malicious payloads, including executable files (EXE), dynamic-link libraries (DLL), and PowerShell scripts. This versatility ensures that Lummac Stealer can evolve in response to cybersecurity measures, adapting its methods to continue its exploitation of vulnerable systems.
One of the most concerning aspects of Lummac Stealer’s operation is its ability to embed itself deeply within a victim’s system. It does so by exploiting various vulnerabilities and creating exclusions that make it difficult to detect and remove. Once embedded, it can function undisturbed for extended periods, allowing cybercriminals to siphon off valuable data over time. The malware also utilizes sophisticated techniques to avoid detection by traditional security software, further enhancing its stealth. This combination of technical sophistication and operational versatility makes Lummac Stealer a formidable weapon in the arsenal of cybercriminals, while also highlighting the dangers inherent in using seemingly innocuous tools in the cybercrime world.
