OnlyFans – a tempting target for eager users and cybercriminals alike.
CRPx0 is a sophisticated, hard-to-detect, and long-running malware operation. It currently targets macOS and Windows systems, with signs that Linux support is in development. The campaign begins with cryptocurrency theft, followed by large-scale data theft and ransomware deployment.
Aryaka Threat Research Labs has published a detailed analysis (PDF) of the campaign.
The initial trick is a social engineering lure offering a free OnlyFans account. Users searching for free access to OnlyFans might come across the threat actors’ OnlyfansAccounts.zip file. By seeking unauthorized free access to paid content, these users have already shown a willingness to take risks and engage in questionable activities. They are more likely to download the zip file and accept that obtaining a free account might involve unusual steps. This mindset makes them ideal targets for attackers.
The malicious zip contains a shortcut file (Onlyfans Accounts.lnk) that appears to be a logical next step for someone pursuing unauthorized access. There’s no obvious reason for the risk-taker to hesitate.
The lnk file delivers what appears to be the promised account credentials. Titled Accounts.txt with the headline “50 working Onlyfans account,” it lists what looks like login details – but in the background, it silently installs the malware. The attackers maintain control from their command-and-control server while the malware gathers system information and establishes persistence. The malware even checks in periodically to see if a newer version is available and updates itself automatically.
The CRPx0 campaign has three main effects: cryptocurrency theft, data exfiltration, and ransomware deployment.
The crypto theft works by continuously monitoring the system clipboard. When the victim copies a cryptocurrency wallet address (while sending or receiving funds), the malware detects this and replaces it with an address controlled by the attackers. So, if a user copies their wallet address to share with someone (to receive payment), they unknowingly provide the attacker’s address instead, directing funds to the criminals.
The second phase involves data exfiltration – the first step in a double extortion scheme. The attackers select which data to steal via their command-and-control server. This typically includes user files that will later be encrypted, such as documents, media, images, emails, developer and code files, and engineering and design files.
After stealing the data, the attackers proceed to the encryption phase. “When the malware receives the ‘encryption’ command,” the analysis explains, “it downloads the crypter.py payload from a remote server and saves it locally. Once the file is successfully written, it is executed using the system’s Python interpreter.”
A unique encryption key is generated using the Fernet mechanism for AES encryption and sent to the command-and-control server. The targeted files are read, encrypted, and saved with the “.crpx0” extension. Certain system and critical directories are excluded to keep the system running despite the ransomware. The desktop wallpaper is replaced with the attackers’ “gotcha” image, and ransom notes are dropped in English, Russian, and Chinese. Victims are instructed to contact the attackers through multiple channels (including email, qTox, and Telegram).
The campaign operates its own leak site. At the time of writing, it claims 38 victims have been compromised, with 23 data leaks published. It also claims to have stolen a massive 10,839 terabytes of data. The remaining 15 victims have either paid the ransom, or the payment deadline has not yet passed.
Where stolen data is available, it is offered for a one-time fee of $500 in cryptocurrency. This provides “Lifetime access to all current and future leaks” with “No monthly recurring charges.”
“This attack is a highly organized, multi-platform threat targeting Windows and macOS, with potential Linux support,” Aryaka summarizes. “Its capabilities include cryptocurrency theft, wallet seed phrase harvesting, deploying additional malicious payloads, and full-scale ransomware encryption. The operation is modular and adaptable, allowing attackers to escalate from opportunistic theft to large-scale data exfiltration and double extortion.”
There is no specific targeting in this campaign. It could affect any user searching for a free OnlyFans account (which may explain the ransom notes in English, Russian, and Chinese). However, victims are more likely to be using their personal devices initially. Most employees would know that their company’s security team can easily monitor their activity on a work device while in the office.
Aryaka’s report includes a list of indicators of compromise (IoCs) and a mapping to the MITRE ATT&CK framework.
Related: Ransomware Group Takes Credit for Trellix Hack
Related: Iranian APT Intrusion Masquerades as Chaos Ransomware Attack
Related: Two US Security Experts Sentenced to Prison for Helping Ransomware Gang
Related: Sandhills Medical Says Ransomware Breach Affects 170,000
