Found Hackers Claim Giveaway Free OnlyFans Viewing App Do Not Install
Lust line, don't be fooled. Found a hacker claiming a free OnlyFans viewing app giveaway. Installed and immediately addicted to CRPx0 malware.
According to a report by the website Security Week, it has detected a Cryptocurrency Theft malware distribution campaign called CRPx0. In addition to stealing Krypto coins, it also has the ability to steal data exfiltration and use it as a base for releasing ransom type malware or Ransomware. This malware can run on both Windows and macOS. In addition, a research team from Aryaka Threat Research Labs, a cybersecurity expert, also found that a Linux version is under development because this malware has its own website with a bid. Not only is the malware distributed for US $500 (16,227.25 baht) on the website, it is boasted that there are now more than 38 victims. The stolen data of 23 victims is available, while 15 others have escaped because the ransom has been paid. The amount of data stolen and under release has reached 10,839 TB.
The research team revealed the spread of this malware campaign that the hackers behind it used to deceive victims by means of social engineering by deceiving victims into having an account for free access to the popular adult content platform OnlyFans, which focuses on those who try to access the platform without money (the source does not indicate that the hackers deceived the victims via email or fake websites, but speculates that the latter) to find a file OnlyfansAccounts.zip claiming to access OnlyFan accounts that allows users to view paid content.
Within that file, when it is loosened, there is an Internet Shortcut file with the file name .lnk named Onlyfans Accounts.lnk. If the victim opens it, the victim will see information claiming to be a Compromised Account password to download under the file name Account.txt. It will contain the headline "50 working Onlyfans accounts" and information claiming to be passwords to the victim. In the background, it will download and install malware. After the malware is installed, the malware will contact the C2 or Command Control server at the same time. The malware stores the system environment, creating persistence on the system. The malware can also check new versions to automatically update itself.
For malware operation, it will be divided into 3 parts:
The theft of Cryptocurrency Theft will change the address of the wallet address on the Clipboard to that of a hacker to allow the victim to transfer the wrong money.
Data Exfiltration on the C2 server determines the type of file to be stolen. It covers document files, media files, software development code files, files related to design and engineering, and then smuggles them from the machine to the C2 server.
Ransomware After the data has been stolen in the last step, the malware will send an Encryption command to download a payload file called crypter.py from the C2 server and install it on the machine. After that, the installed ransomware ransomware will create a unique key with the Fernet mechanism for AES encryption, and then encrypt the file designated as a "crpx0" file, except for the system folder to ensure that the main system is still active and then release the Ransom. Note) in three languages (English, Russian, Chinese) on board, which directs the victim to contact the hacker to pay the ransom via email, qTox, and Telegram.