A complex malware, known as “Steal-it”, is targeting specific victims in Australia using explicit images of models from the Onlyfans platform as bait, according to recent reports from ZSCALER.
The cyber attack is believed to be the work of the APT28 group, also known as FANCY BEAR, according to the study. This group gained notoriety for its interference in the 2016 American elections.
The “Steal-it” malware, examined by Zscaler, consists of multiple variations with different tools and objectives.
In the initial phase of the malicious operation using Onlyfans-Primann, victims download a ZIP archive named “Best_tits.zip”. This archive contains a malicious shortcut labeled “Onlyfans.com-1.lnk”.
Upon execution, the malicious LNK file opens the Microsoft Edge browser with a specific Base64-encoded argument. This argument contains a single-line JavaScript code that redirects victims to the attackers’ website, which also contains malicious code.
To conceal the harmful redirection, the malicious team also opens the legitimate online website in another tab and suspends the script for 9 seconds.
After a brief pause, the hidden JavaScept-code on the background page performs several checks and carries out malicious actions. If the victim’s operating system is Windows and they are located in Australia, the code initiates the download of another malicious shortcut named “M8.LNK”. This shortcut is immediately launched and placed in the Windows Startup folder to ensure persistence.
The newly created shortcut collects system information about the victim’s computer and sends it to the attackers using the legitimate tool MOCKBIN, while simultaneously erasing traces of their activity from the target system.
A chain of infection
Using explicit content as a lure in malicious campaigns is a manipulative and deceitful tactic. While it’s natural to be curious, it’s important to be cautious and not fall for such tricks.
Cybercriminals often exploit our vulnerabilities, but we must not follow their lead. Stay vigilant and consider the consequences before opening suspicious files. Ultimately, our online safety depends on ourselves.