In a surprising turn of events, cybersecurity researchers at Veriti Research have uncovered a scheme where hackers are becoming victims of their own tactics. The discovery revolves around a fake OnlyFans account hacking tool that infects its users with the Lumma infostealer malware, highlighting the risks inherent in the cybercriminal ecosystem.
The Lure of OnlyFans and the Rise of Account Checker Tools
OnlyFans, a popular content subscription service, has become a prime target for cybercriminals seeking to exploit user accounts. Hackers aim to steal subscriber payments, blackmail account owners, or leak private photos. To facilitate these attacks, criminals often rely on account checker tools that can verify the validity of stolen credentials en masse.
These tools are crucial for cybercriminals, as manually checking thousands of username and password combinations would be impractical. However, the trust placed in these tools, often created by fellow criminals, can lead to unexpected consequences.
The Trojan Horse: A Malicious OnlyFans Account Checker
Veriti Research identified a fraudulent OnlyFans account checker tool that claimed to verify credentials, account balances, and payment methods. In reality, this tool was a vector for deploying the Lumma malware onto the systems of unsuspecting cybercriminals.
Understanding Lumma: A Sophisticated Threat
Lumma is a Malware-as-a-Service (MaaS) offering that has been active since 2022. Priced between $250 and $1,000 per month, it boasts powerful evasion techniques and can even restore expired Google session tokens. Its capabilities include:
- Stealing two-factor authentication codes
- Extracting cryptocurrency wallet data
- Harvesting passwords, cookies, and banking information from browsers and file systems
- Acting as a loader for additional malicious payloads
- Executing PowerShell scripts
The Infection Chain: From GitHub to Victim Systems
In this particular case, the Lumma payload (brtjgjsefd.exe) was downloaded from a GitHub repository and executed on the victim’s machine. Once activated, the malware established communication with a GitHub account named UserBesty, which hosted additional malicious files.
Researchers discovered executable files in the repository that mimicked account checkers for other popular platforms such as Disney+ and Instagram, as well as a Mirai botnet builder. This suggests a broader campaign targeting various cybercriminal operations.
Command and Control Infrastructure
Further investigation revealed a network of .shop domains serving as command and control (C2) servers for the Lumma malware. These servers issued commands to the infected systems and received stolen data in return, completing the attack cycle.
A Recurring Theme in the Criminal Underworld
This incident is not isolated. Similar cases of “hacker-on-hacker” attacks have been documented previously. In 2022, malware disguised as cracked Remote Access Trojans (RATs) and malware development tools circulated on hacking forums. Another notable example involved the creator of Prynt Stealer malware, who implemented a backdoor to siphon stolen data from the malware’s operators.
These events underscore a critical lesson in cybersecurity: trust is a scarce commodity in the digital underground. Even seasoned cybercriminals can fall victim to their peers’ deceptions, demonstrating the inherent risks of engaging in illicit online activities. For legitimate users and organizations, this serves as a stark reminder of the importance of robust cybersecurity practices and the dangers of using unauthorized tools or accessing dubious online resources.