In a twist of digital irony, the cyber underworld is facing an unexpected reckoning. Veriti’s cyber research team has uncovered a sophisticated operation that’s turning aspiring OnlyFans hackers into victims, demonstrating that in the ruthless domain of cybercrime, today’s predator can swiftly become tomorrow’s prey.
On a notorious hacking forum, a user named Bilalkhanicom dangled a tantalizing offer: a tool to “check” OnlyFans accounts. For those with nefarious intentions, it seemed too good to be true. Spoiler alert: it was.
What these aspiring cyber-criminals didn’t realize was that they were walking into a trap. The supposed OnlyFans hacking tool was, in fact, a delivery system for a sophisticated malware known as Lummac stealer – happy to infect both innocent users and would-be hackers alike.
The Bait: Demystifying the “Checker” Phenomenon
First, let’s decode the term “checker” in the context of OnlyFans and similar platforms. In the murky waters of cybercrime, a “checker” is a tool designed to verify the validity of stolen credentials en masse. For OnlyFans, these tools allegedly allow criminals to:
- Validate stolen username/password combinations
- Check account balances
- Verify if accounts have payment methods attached
- Determine if accounts have creator privileges
These “checkers” are the digital lockpicks of the modern age, promising easy access to a treasure trove of sensitive information and potential financial gain. However, as our investigation reveals, sometimes these tools are trojan horses, designed to ensnare the very criminals seeking to use them.
The Hook: Lummac Stealer Unleashed
What these cyber-vultures thought was their golden ticket turned out to be a sophisticated delivery mechanism for Lummac stealer, a particularly insidious strain of malware. Let’s dive deep into the anatomy of this digital parasite:
Lummac Stealer: A Closer Look
Lummac Stealer, also known as LummaC2 Stealer, is not your run-of-the-mill malware. Here’s what makes it a nightmare for cybersecurity professionals:
- Origin and Development: Emerging in August 2022, Lummac is the brainchild of a threat actor known as “Shamel” or “Lumma”. It’s distributed through a Malware-as-a-Service (MaaS) model, making it accessible to a wide range of bad actors.
- Technical Sophistication: Written in C language, Lummac represents a high level of coding proficiency, making it both efficient and hard to detect.
- Primary Targets:
- Cryptocurrency wallets
- Two-factor authentication (2FA) browser extensions
- Sensitive information across the victim’s machine
- Exfiltration Method: Stolen data is sent to a Command and Control (C2) server via HTTP POST requests, cleverly disguised using the user agent “TeslaBrowser/5.5”.
- Advanced Loader Capabilities: Lummac features a non-resident loader, capable of delivering additional malicious payloads in various formats:
- Executable files (EXE)
- Dynamic-link libraries (DLL)
- PowerShell scripts
This versatility allows Lummac to adapt and evolve its attack strategy on the fly, making it a formidable threat.
Lummac Stealer, once activated, initiates a connection to a GitHub account recently opened under the name “UserBesty.” The repository is a treasure trove of malicious files, including one named brtjgjsefd.exe, uploaded on August 27, 2024. This file, like many others in the repository, is designed to embed itself deep within the victim’s system, creating exclusions and making it difficult to detect and remove.
The Brutal Irony: A Hacker Ecosystem Cannibalizing Itself
Our research indicates that Bilalkhanicom is not limiting its malicious efforts to OnlyFans. He has launched parallel campaigns, targeting those interested in cracking:
- Disney+ account thieves are baited with “DisneyChecker.exe”
- Instagram hackers are lured by “InstaCheck.exe”
- Aspiring botnet wranglers are teased with “ccMirai.exe”
Each executable is a digital landmine, waiting to flip the script on unsuspecting criminals.
The Technical Rabbit Hole: A Malware Masterclass
Once executed, the malware establishes a connection to a GitHub account named UserBesty—created mere days ago.
This account serves as a repository for various malicious payloads, including the ominously named “brtjgjsefd.exe“.
This file, like many others in the repository, is designed to embed itself deep within the victim’s system, creating exclusions and making it difficult to detect and remove.
The Geopolitical Enigma – a Web of Malicious Domains
In a twist that adds layers of intrigue to an already complex narrative, our researchers uncovered a potential geopolitical link hidden in the malware’s architecture. The folder names used in the malware’s file structure paint a picture of global influences:
- “Hiyang” and “Reyung” whisper of East Asian connections
- “Zuka” echoes African influences
- “Lir” invokes Celtic mythology
- “Popisaya” hints at Indigenous Latin American roots
Our investigation didn’t stop there. We traced the malware’s communication back to a series of recently created .shop domains, all with high detection rates. These domains, such as caffegclasiqwp/.shop and ponintnykqwm/.shop, serve as command-and-control (C2) servers, orchestrating the malware’s activities across infected machines.
The malicious files that had been found are related to other samples from the same malware with the latest IoCs based on the below list:
| Domain | Detections | Created | Registration |
| caffegclasiqwp/.shop | 20/ 94 | 2024-08-23 | – |
| condedqpwqm/.shop | 18/ 94 | 2024-08-23 | – |
| evoliutwoqm/.shop | 16/ 94 | 2024-08-23 | – |
| locatedblsoqp/.shop | 18/ 94 | 2024-08-23 | – |
| millyscroqwp/.shop | 20/ 94 | 2024-08-23 | – |
| ponintnykqwm/.shop | 10/ 94 | 2024-08-26 | – |
| stagedchheiqwo/.shop | 18/ 94 | 2024-08-23 | – |
| stamppreewntnq/.shop | 18/ 94 | 2024-08-23 | – |
| steamcommunity/.com | 0/ 94 | 2006-05-28 | Network Solutions, LLC |
| traineiwnqo/.shop | 20/ 94 | 2024-08-23 | – |
MITRE ATTACK
| Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Collection | Command and Control | Impact |
| Command and Scripting Interpreter | Scheduled Task/Job | Process Injection | Hide Artifacts | Input Capture | Application Window Discovery | Input Capture | Application Layer Protocol | Data Destruction |
| Native API | Scheduled Task/Job | Impair Defenses | Steal Web Session Cookie | File and Directory Discovery | Encrypted Channel | |||
| Scheduled Task/Job | Indirect Command Execution | Process Discovery | Non-Application Layer Protocol | |||||
| Shared Modules | Masquerading | Query Registry | ||||||
| Obfuscated Files or Information | Remote System Discovery | |||||||
| Process Injection | System Information Discovery | |||||||
| Virtualization/Sandbox Evasion | Virtualization/Sandbox Evasion |
The Takeaway: A New Era of Cyber-Deception
As we peel back the layers of this cyber-onion, one thing becomes clear: the lines between predator and prey in the digital realm are blurrier than ever. This case study in cyber-deception doesn’t just showcase the ingenuity of criminals; it highlights the critical need for proactive cybersecurity measures for everyone – yes, even the bad guys.
In this high-stakes digital chess game, it seems the ultimate winner is the one who can think several moves ahead. And for now, that title might just belong to the mysterious mind behind the OnlyFans ‘checker’ scam. Stay safe out there, folks. In the wild west of the internet, not everything – or everyone – is as it seems.
