Security researchers have discovered a novel distribution mechanism for popular infostealer malware: a “checker” tool used by hackers to validate stolen credentials.
The checker software in question was being peddled by a user named “Bilalkhanicom” operating on a popular hacking forum, according to Veriti. However, their target for once was not innocent internet users, but other cybercriminals, the firm noted in a blog post.
Lumma Stealer Delivery
The checker tool promoted by Bilalkhanicom promised to allow fellow cybercriminals to validate OnlyFans logins, check account balances, verify if accounts have payment methods attached and determine if accounts have creator privileges, according to Veriti.
“These ‘checkers’ are the digital lockpicks of the modern age, promising easy access to a treasure trove of sensitive information and potential financial gain. However, as our investigation reveals, sometimes these tools are Trojan horses, designed to ensnare the very criminals seeking to use them,” Veriti explained.
“What these cyber-vultures thought was their golden ticket turned out to be a sophisticated delivery mechanism for Lumma Stealer, a particularly insidious strain of malware.”
Read more on infostealers: LummaC2 Infostealer Resurfaces With Obfuscated PowerShell Tactics
Lumma Stealer is a hard-to-detect infostealer programmed to target cryptocurrency wallets, two-factor authentication browser extensions and other sensitive information on a victim’s machine/device.
Veriti explained that, once activated, this particular sample initiates a connection to a GitHub account recently opened under the name “UserBesty.” The repository features a trove of malicious files, including one named “brtjgjsefd.exe,” uploaded on August 27, which “is designed to embed itself deep within the victim’s system, creating exclusions and making it difficult to detect and remove.”
Veriti claimed the same malicious actor has launched similar campaigns aimed at hackers interested in targeting Disney+ (DisneyChecker.exe) and Instagram accounts (InstaCheck.exe), as well as botnet wranglers (ccMirai.exe).
“In this high-stakes digital chess game, it seems the ultimate winner is the one who can think several moves ahead,” Veriti concluded. “And for now, that title might just belong to the mysterious mind behind the OnlyFans ‘checker’ scam. Stay safe out there, folks. In the wild west of the internet, not everything – or everyone – is as it seems.”
Image credit: Mehaniq / Shutterstock.com