{"id":18935,"date":"2022-05-04T05:10:06","date_gmt":"2022-05-04T13:10:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/05\/04\/news-12668\/"},"modified":"2022-05-04T05:10:06","modified_gmt":"2022-05-04T13:10:06","slug":"news-12668","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/05\/04\/news-12668\/","title":{"rendered":"Fake Cyberpunk Ape Executives target artists with malware-laden job offer"},"content":{"rendered":"<p><strong>Credit to Author: Christopher Boyd| Date: Wed, 04 May 2022 12:37:05 +0000<\/strong><\/p>\n<p>The wacky world of ape jpegs are at the heart of yet another increasingly bizarre internet scam, which contains malware, stolen accounts, a faint possibility of phishing, and zips full of ape pictures. <\/p>\n<h2>The Ape Executives have a job offer you can, and must, refuse<\/h2>\n<p>Lots of people with art profiles on social media in <a href=\"https:\/\/twitter.com\/gaminuwu\/status\/1521344994744815616\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Japan<\/a> and elsewhere have reported messages from people claiming to be from the \u201cCyberpunk Ape Executives\u201d. These messages promoted some sort of upcoming project related to both cyberpunk and apes.<\/p>\n<p>Users on several sites including DeviantArt and Pixiv were sent identical missives from a variety of accounts:<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Not just on Pixiv, these same NFT scammers (Cyberpunk Ape Executives) were bothering me (and assumedly other artists) on DeviantART yesterday too, despite me writing that I&#39;m anti-NFT on my profile page.<img decoding=\"async\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/13.1.0\/72x72\/1f644.png\" alt=\"\ud83d\ude44\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\" \/> <a href=\"https:\/\/t.co\/RLCV40tx2j\">https:\/\/t.co\/RLCV40tx2j<\/a> <a href=\"https:\/\/t.co\/G0E9izR0TO\">pic.twitter.com\/G0E9izR0TO<\/a><\/p>\n<p>&mdash; Katy133 (@JKaty133) <a href=\"https:\/\/twitter.com\/JKaty133\/status\/1521190543585386499?ref_src=twsrc%5Etfw\">May 2, 2022<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/div>\n<\/figure>\n<h2>&#8220;We appreciate your artwork&#8230;&#8221;<\/h2>\n<p>The messages received by these artists reads as follows:<\/p>\n<blockquote class=\"wp-block-quote\">\n<p><em>Hi! We appreciate your artwork! Cyberpunk Ape Executives is inviting 2D-artists (online \/ freelance) to collaborate in creating NFT project. As a 2D-artist you will create amazing and adorable NFT characters. Your characters will become an important part of our NFT universe! Our expectations from the candidate: 1) Experience as a 2D-artist 2) Experience and examples of creating characters 3) Photoshop skills<\/em><\/p>\n<p><em>Main tasks: 1) Creating characters in our NFT style 2) Interaction with Art Team Lead on task setting, feedback. For further communication check out the examples of our NFT works: [url removed] and send a reply (CV + examples of your works) for this position. Approximate payment per day = $200-$350. We make payments to Paypal, BTC, ETH, LTC.<\/em><\/p>\n<\/blockquote>\n<p>Anyone clicking the link was directed to a MEGA download page. The .rar file to download weighs in at 4.1MB, and comes with the password &#8220;111&#8221; supplied. Artists expecting to find ape jpegs are in for a horrible surprise, not least because it does in fact contain several ape jpegs. It also contains something <em>else<\/em> pretending to be an ape jpeg. Observe:<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"56274\" data-permalink=\"https:\/\/blog.malwarebytes.com\/scams\/2022\/05\/fake-cyberpunk-ape-executives-target-artists-with-malware-laden-job-offer\/attachment\/cyberpunk-ape-executive-files\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/05\/cyberpunk-ape-executive-files.png\" data-orig-size=\"656,312\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"cyberpunk-ape-executive-files\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/05\/cyberpunk-ape-executive-files-300x143.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/05\/cyberpunk-ape-executive-files-600x285.png\" width=\"600\" height=\"285\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/05\/cyberpunk-ape-executive-files-600x285.png\" alt=\"\" class=\"wp-image-56274\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/05\/cyberpunk-ape-executive-files-600x285.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/05\/cyberpunk-ape-executive-files-300x143.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/05\/cyberpunk-ape-executive-files.png 656w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/figure>\n<\/div>\n<p>Can you spot the ape doing his own thing? Note that without &#8220;view file extensions&#8221; enabled, you wouldn&#8217;t notice the odd one out.  Cyberpunk Ape Executive #19 is up to no good, with the gif.exe extension. Disguising executables as image files is an ancient technique, but it seems profitable in ape jpeg land. Artists opening up the file would infect their system with a form of <a href=\"https:\/\/blog.malwarebytes.com\/detections\/spyware-passwordstealer\/\">infostealer<\/a> which Malwarebytes detects as Spyware.PasswordStealer.EnigmaProtector.<\/p>\n<h2>Message spam galore<\/h2>\n<p>Many people are pointing out that their accounts started spamming the same bogus promotional messages seen up above. Here&#8217;s one example found on ArtStation from last week:<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Turns out my ArtStation account was hacked and they send out a bunk of messages to artists to recruit them for an NFT project, if you get messaged for a Cyberpunk Ape Executives crypto project, it&#39;s a scam probably <a href=\"https:\/\/twitter.com\/hashtag\/nft?src=hash&amp;ref_src=twsrc%5Etfw\">#nft<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/crypto?src=hash&amp;ref_src=twsrc%5Etfw\">#crypto<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/NFTCommunity?src=hash&amp;ref_src=twsrc%5Etfw\">#NFTCommunity<\/a> <a href=\"https:\/\/t.co\/LlOPQfZN9s\">pic.twitter.com\/LlOPQfZN9s<\/a><\/p>\n<p>&mdash; Deazee (@deazeeworks) <a href=\"https:\/\/twitter.com\/deazeeworks\/status\/1518915423844159489?ref_src=twsrc%5Etfw\">April 26, 2022<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/div>\n<\/figure>\n<p>There is clearly some form of account compromise taking place, however at time of writing it&#8217;s difficult to 100% pin this on the infection file. Those who&#8217;ve suffered an account breach typically don&#8217;t confirm one way or the other if the infection or phishing of some kind is responsible (warning: very angry and <a href=\"https:\/\/twitter.com\/Dust_Muppet\/status\/1520522665131450371\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">swear filled artist Tweets ahoy<\/a>).<\/p>\n<p>What we&#8217;ve observed that it connects to a server, sending some basic system information like Operating System and various system parameters. There&#8217;s no direct evidence of password theft (yet), though it could be waiting for direct orders or certain conditions to swipe data.<\/p>\n<h2>Keeping your accounts safe<\/h2>\n<p>It&#8217;s possible there&#8217;s a phishing aspect to this independent of the infostealer. Perhaps there&#8217;s a second set of messages aimed at tricking people into visiting fake logins, though we stress there is currently no evidence of this. The executable seems the most likely candidate. Either way, our tips are as follows:<\/p>\n<ol>\n<li>Do not download the .rar containing the apes. If you have, do not open up the .gif.exe file. Proceed to running security scans at this point, and ensure whatever you have on board is quarantined and stripped out from your system.<\/li>\n<li>If there <em>are<\/em> messages from so-called Cyberpunk Ape Executives bouncing around somewhere sending you login links, don&#8217;t enter the credentials they happen to be asking for. Done this already? Log in and change your password. If they&#8217;ve already changed your login, contact support as soon as possible. Again: we don&#8217;t know if a phish campaign is operating in tandem with the infection file campaign, and we&#8217;d suggest you&#8217;re most likely to fall foul of login compromise via the system infection.<\/li>\n<\/ol>\n<h2>All my apes giving security advice<\/h2>\n<p>Possibly the most amazing thing here is that the Cyberpunk Ape Executives actually do appear to exist. Here&#8217;s the <em>genuine<\/em> Ape Executives themselves, warning artists about the fakers:<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">There&#39;s currently a scam going around with people pretending to work with us. This is not real. Don&#39;t respond. Don&#39;t click the link. Report the people who are doing this on the platform they contact you on. <a href=\"https:\/\/twitter.com\/hashtag\/ApeExecutives?src=hash&amp;ref_src=twsrc%5Etfw\">#ApeExecutives<\/a> <a href=\"https:\/\/t.co\/A60J3Tt1ks\">pic.twitter.com\/A60J3Tt1ks<\/a><\/p>\n<p>&mdash; CYBERPUNK APE EXECUTIVES (PHASE ONE SOLD OUT) (@ApeExecutives) <a href=\"https:\/\/twitter.com\/ApeExecutives\/status\/1518995496051740672?ref_src=twsrc%5Etfw\">April 26, 2022<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/div>\n<\/figure>\n<p>Accept no ape imitations.<\/p>\n<p>We&#8217;ll continue to observe this one and add to the post should any fresh information come to light. For now, keep a close eye on messages sent your way. There&#8217;s nothing better for an artist than receiving the possibility of a well paying commission. Unfortunately, all you&#8217;ll be paying with here is system data, and quite possibly your logins too.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/scams\/2022\/05\/fake-cyberpunk-ape-executives-target-artists-with-malware-laden-job-offer\/\">Fake Cyberpunk Ape Executives target artists with malware-laden job offer<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/scams\/2022\/05\/fake-cyberpunk-ape-executives-target-artists-with-malware-laden-job-offer\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Christopher Boyd| Date: Wed, 04 May 2022 12:37:05 +0000<\/strong><\/p>\n<p>We look at a scam targeting artists around the world with a bogus, malware-laden offer from fake Cyberpunk Ape Executives.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/scams\/2022\/05\/fake-cyberpunk-ape-executives-target-artists-with-malware-laden-job-offer\/\">Fake Cyberpunk Ape Executives target artists with malware-laden job offer<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[16349,25963,24754,25964,25965,25966,14490,8141,24758,25967,3985,10574],"class_list":["post-18935","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-account","tag-all-my-apes-gone","tag-ape","tag-artstation","tag-cyberpunk-ape-executives","tag-deviantart","tag-jpeg","tag-monkey","tag-nft","tag-pixiv","tag-scam","tag-scams"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18935","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18935"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18935\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18935"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18935"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18935"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}