The wacky world of ape jpegs are at the heart of yet another increasingly bizarre internet scam, which contains malware, stolen accounts, a faint possibility of phishing, and zips full of ape pictures.
Lots of people with art profiles on social media in Japan and elsewhere have reported messages from people claiming to be from the “Cyberpunk Ape Executives”. These messages promoted some sort of upcoming project related to both cyberpunk and apes.
Users on several sites including DeviantArt and Pixiv were sent identical missives from a variety of accounts:
> Not just on Pixiv, these same NFT scammers (Cyberpunk Ape Executives) were bothering me (and assumedly other artists) on DeviantART yesterday too, despite me writing that I’m anti-NFT on my profile page. <https://t.co/RLCV40tx2j> pic.twitter.com/G0E9izR0TO
>
> – Katy133 (@JKaty133) May 2, 2022
The messages received by these artists reads as follows:
> Hi! We appreciate your artwork! Cyberpunk Ape Executives is inviting 2D-artists (online / freelance) to collaborate in creating NFT project. As a 2D-artist you will create amazing and adorable NFT characters. Your characters will become an important part of our NFT universe! Our expectations from the candidate: 1) Experience as a 2D-artist 2) Experience and examples of creating characters 3) Photoshop skills
>
> Main tasks: 1) Creating characters in our NFT style 2) Interaction with Art Team Lead on task setting, feedback. For further communication check out the examples of our NFT works: [url removed] and send a reply (CV + examples of your works) for this position. Approximate payment per day = $200-$350. We make payments to Paypal, BTC, ETH, LTC.
Anyone clicking the link was directed to a MEGA download page. The .rar file to download weighs in at 4.1MB, and comes with the password "111" supplied. Artists expecting to find ape jpegs are in for a horrible surprise, not least because it does in fact contain several ape jpegs. It also contains something else pretending to be an ape jpeg. Observe:
Can you spot the ape doing his own thing? Note that without "view file extensions" enabled, you wouldn't notice the odd one out. Cyberpunk Ape Executive #19 is up to no good, with the gif.exe extension. Disguising executables as image files is an ancient technique, but it seems profitable in ape jpeg land. Artists opening up the file would infect their system with a form of infostealer which Malwarebytes detects as Spyware.PasswordStealer.EnigmaProtector.
Many people are pointing out that their accounts started spamming the same bogus promotional messages seen up above. Here's one example found on ArtStation from last week:
> Turns out my ArtStation account was hacked and they send out a bunk of messages to artists to recruit them for an NFT project, if you get messaged for a Cyberpunk Ape Executives crypto project, it’s a scam probably #nft #crypto #NFTCommunity pic.twitter.com/LlOPQfZN9s
>
> – Deazee (@deazeeworks) April 26, 2022
There is clearly some form of account compromise taking place, however at time of writing it's difficult to 100% pin this on the infection file. Those who've suffered an account breach typically don't confirm one way or the other if the infection or phishing of some kind is responsible (warning: very angry and swear filled artist Tweets ahoy).
What we've observed that it connects to a server, sending some basic system information like Operating System and various system parameters. There's no direct evidence of password theft (yet), though it could be waiting for direct orders or certain conditions to swipe data.
It's possible there's a phishing aspect to this independent of the infostealer. Perhaps there's a second set of messages aimed at tricking people into visiting fake logins, though we stress there is currently no evidence of this. The executable seems the most likely candidate. Either way, our tips are as follows:
Possibly the most amazing thing here is that the Cyberpunk Ape Executives actually do appear to exist. Here's the genuine Ape Executives themselves, warning artists about the fakers:
> There’s currently a scam going around with people pretending to work with us. This is not real. Don’t respond. Don’t click the link. Report the people who are doing this on the platform they contact you on. #ApeExecutives pic.twitter.com/A60J3Tt1ks
>
> – CYBERPUNK APE EXECUTIVES (PHASE ONE SOLD OUT) (@ApeExecutives) April 26, 2022
Accept no ape imitations.
We'll continue to observe this one and add to the post should any fresh information come to light. For now, keep a close eye on messages sent your way. There's nothing better for an artist than receiving the possibility of a well paying commission. Unfortunately, all you'll be paying with here is system data, and quite possibly your logins too.
The post Fake Cyberpunk Ape Executives target artists with malware-laden job offer appeared first on Malwarebytes Labs.