Users of creator-oriented online platforms such as DeviantArt and Pixiv in Japan are receiving fake job offer-related messages from the Cyberpunk Ape Executives NFT project. The goal is to infect artists' devices with information stealers.

Fake job offers

According to Malwarebytes, attackers are luring artists with offers to work on further expansion of the project and design new sets of characters with offers of up to $350 per day.
  • The message sent to target users has a link that, when clicked, leads to a MEGA download page to download a password-protected RAR archive file (4.1MB), named Cyberpunk Ape Exemples (pass 111)[.]rar.
  • The file claims to include samples of Cyberpunk Ape Executives' artwork that is supposed to help the artists get the idea of the style they should follow and provide false authenticity to the job offer.
  • The archive includes several actual GIFs of Cyberpunk Ape Executives NFTs. One executable file is designed to look like another GIF image, which tries to blend in with the rest of the collection.

The hidden threat

The executable file is a malware installer that pretends to be one of several GIF images sent as samples.
  • When exected, it infects the device with an information-stealing trojan EnigmaProtector, and there is a good chance of the file bypassing AV detection based on VirusTotal detections.
  • The attackers try to obtain the account credentials of users with a high number of followers. Moreover, many creators claim that bot accounts send messages in Japanese every few minutes.
  • The infostealer steals information saved on web browsers, such as account passwords, and cryptocurrency wallets. Further, stealing victims' wallets allows the attackers to steal any NFTs and cryptocurrency stored within them.

Staying safe

Users should always stay alert whenever receiving lucrative job offers promising large salaries. They should contact the project or company to confirm the email, and review their Twitter accounts or other online presence. Further, always scan a downloaded file with a reliable anti-malware solution before executing it.

Cyware Publisher