Fake Cyberpunk Ape Executives target artists with malware-laden job offer

Fake Cyberpunk Ape Executives target artists with malware-laden job offer

The wacky world of ape jpegs are at the heart of yet another increasingly bizarre internet scam, which contains malware, stolen accounts, a faint possibility of phishing, and zips full of ape pictures.

The Ape Executives have a job offer you can, and must, refuse

Lots of people with art profiles on social media in Japan and elsewhere have reported messages from people claiming to be from the “Cyberpunk Ape Executives”. These messages promoted some sort of upcoming project related to both cyberpunk and apes.

Users on several sites including DeviantArt and Pixiv were sent identical missives from a variety of accounts:

Not just on Pixiv, these same NFT scammers (Cyberpunk Ape Executives) were bothering me (and assumedly other artists) on DeviantART yesterday too, despite me writing that I'm anti-NFT on my profile page. https://t.co/RLCV40tx2j pic.twitter.com/G0E9izR0TO

— Katy133 (@JKaty133) May 2, 2022

“We appreciate your artwork…”

The messages received by these artists reads as follows:

Hi! We appreciate your artwork! Cyberpunk Ape Executives is inviting 2D-artists (online / freelance) to collaborate in creating NFT project. As a 2D-artist you will create amazing and adorable NFT characters. Your characters will become an important part of our NFT universe! Our expectations from the candidate: 1) Experience as a 2D-artist 2) Experience and examples of creating characters 3) Photoshop skills

Main tasks: 1) Creating characters in our NFT style 2) Interaction with Art Team Lead on task setting, feedback. For further communication check out the examples of our NFT works: [url removed] and send a reply (CV + examples of your works) for this position. Approximate payment per day = $200-$350. We make payments to Paypal, BTC, ETH, LTC.

Anyone clicking the link was directed to a MEGA download page. The .rar file to download weighs in at 4.1MB, and comes with the password “111” supplied. Artists expecting to find ape jpegs are in for a horrible surprise, not least because it does in fact contain several ape jpegs. It also contains something else pretending to be an ape jpeg. Observe:

Can you spot the ape doing his own thing? Note that without “view file extensions” enabled, you wouldn’t notice the odd one out. Cyberpunk Ape Executive #19 is up to no good, with the gif.exe extension. Disguising executables as image files is an ancient technique, but it seems profitable in ape jpeg land. Artists opening up the file would infect their system with a form of infostealer which Malwarebytes detects as Spyware.PasswordStealer.EnigmaProtector.

Message spam galore

Many people are pointing out that their accounts started spamming the same bogus promotional messages seen up above. Here’s one example found on ArtStation from last week:

Turns out my ArtStation account was hacked and they send out a bunk of messages to artists to recruit them for an NFT project, if you get messaged for a Cyberpunk Ape Executives crypto project, it's a scam probably #nft #crypto #NFTCommunity pic.twitter.com/LlOPQfZN9s

— Deazee (@deazeeworks) April 26, 2022

There is clearly some form of account compromise taking place, however at time of writing it’s difficult to 100% pin this on the infection file. Those who’ve suffered an account breach typically don’t confirm one way or the other if the infection or phishing of some kind is responsible (warning: very angry and swear filled artist Tweets ahoy).

What we’ve observed that it connects to a server, sending some basic system information like Operating System and various system parameters. There’s no direct evidence of password theft (yet), though it could be waiting for direct orders or certain conditions to swipe data.

Keeping your accounts safe

It’s possible there’s a phishing aspect to this independent of the infostealer. Perhaps there’s a second set of messages aimed at tricking people into visiting fake logins, though we stress there is currently no evidence of this. The executable seems the most likely candidate. Either way, our tips are as follows:

1. Do not download the .rar containing the apes. If you have, do not open up the .gif.exe file. Proceed to running security scans at this point, and ensure whatever you have on board is quarantined and stripped out from your system.
2. If there are messages from so-called Cyberpunk Ape Executives bouncing around somewhere sending you login links, don’t enter the credentials they happen to be asking for. Done this already? Log in and change your password. If they’ve already changed your login, contact support as soon as possible. Again: we don’t know if a phish campaign is operating in tandem with the infection file campaign, and we’d suggest you’re most likely to fall foul of login compromise via the system infection.

All my apes giving security advice

Possibly the most amazing thing here is that the Cyberpunk Ape Executives actually do appear to exist. Here’s the genuine Ape Executives themselves, warning artists about the fakers:

There's currently a scam going around with people pretending to work with us. This is not real. Don't respond. Don't click the link. Report the people who are doing this on the platform they contact you on. #ApeExecutives pic.twitter.com/A60J3Tt1ks

— CYBERPUNK APE EXECUTIVES (PHASE ONE SOLD OUT) (@ApeExecutives) April 26, 2022

Accept no ape imitations.

We’ll continue to observe this one and add to the post should any fresh information come to light. For now, keep a close eye on messages sent your way. There’s nothing better for an artist than receiving the possibility of a well paying commission. Unfortunately, all you’ll be paying with here is system data, and quite possibly your logins too.

The post Fake Cyberpunk Ape Executives target artists with malware-laden job offer appeared first on Malwarebytes Labs.