"The initial social engineering lure is the offer of a free OnlyFans account. Users interested in free access to OnlyFans might actively search for available options, and stumble across the threat actors' OnlyfansAccounts.zip. By looking for unauthorized free access to paid-for content, these users have already demonstrated a willingness to be risk takers open to less than legitimate activity. They would be more willing to download the zip, and to accept that acquiring a free account might require some non-standard activity. That's a good start for any attacker."
"The malicious zip contains a shortcut file (Onlyfans Accounts.lnk) which would appear to be a legitimate next step in pursuing a non-legitimate purpose. There is no apparent reason for the risk taker not to proceed. The lnk provides a file that appears to contain the promised account credentials. It is titled Accounts.txt, has the headline '50 working Onlyfans account' and lists what appears to be credentials - but in the background, it begins to install the malware."
"The attackers maintain control from their C2 while the malware collects environment data and establishes persistence. The malware even calls home periodically to see if there is a newer version of itself, and updates itself as necessary. Advertisement. Scroll to continue reading. There are three primary effects of CRPx0 campaign: cryptocurrency theft, data exfiltration, and delivery of ransomware."
"The crypto theft is achieved by continuously monitoring the system clipboard. If the victim copies a wallet address (while sending or receivi"
CRPx0 is a stealthy, persistent malware campaign targeting macOS and Windows, with Linux capabilities under development. The lure offers a free OnlyFans account, leading users to download an OnlyfansAccounts.zip file. The archive contains a shortcut file that appears to provide promised account credentials in an Accounts.txt file titled “50 working Onlyfans account,” but the shortcut triggers malware installation in the background. The malware collects environment data, establishes persistence, and periodically contacts command-and-control infrastructure to check for newer versions and update itself. The campaign produces cryptocurrency theft by monitoring the clipboard for wallet addresses, followed by large-scale data exfiltration and ransomware delivery.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]