HQ/EMEAFind out how we can help your business
Threat actors use fake OnlyFans photos and content to lure targets and deploy DcRAT. Based on reports, the remote access trojan could enable the threat actors to harvest data and credentials or deploy further attacks on the compromised device.
This new campaign has allegedly been operating since January, distributing ZIP files that include a VBScript loader. The loader tricks a target into executing it manually by making them think they will access a premium OnlyFans collection.
The fake OnlyFans content could spread via multiple sources.
Researchers said they had not found the infection chain that spreads the fake OnlyFans content. However, the attacks could have started from malicious forums, malvertising campaigns, instant messages, or Black SEO websites.
In addition, the VBScript loader is a minimally modified and disguised version of a script from a 2021 cybercriminal operation. The loader will check the targeted device’s OS architecture using WMI and generate a 32-bit process required for the subsequent attack steps. After the steps, the loader could install itself and extract an embedded DLL file and registers the dll via Regsvr32[.]exe command.
This method allows the malware to access a tool enabling users to call functions from the Windows API or other DLL archives.
Eventually, the ‘BinaryData’ payload is loaded into memory and injected into the ‘RegAsm.exe’ process, a legitimate portion of the .NET Framework less likely to be stopped by AV solutions. The injected payload is DcRAT, a modified version of AsyncRAT available on GitHub. Researchers stated that the malware authors abandoned the malware after numerous abuse incidents emerged online.
One of these incidents occurred a couple of years ago when a politically-themed threat group deployed the RAT onto impacted systems and several other malware strains. Experts explained that what makes DcRAT dangerous is that it could perform malicious activities, such as keylogging, file manipulation, remote access, and webcam monitoring. It could also steal credentials and cookies from browsers or nab Discord tokens.
Lastly, DcRAT has a ransomware plugin that targets all non-system files and attaches the [.]DcRAT filename extension onto encrypted archives.
Users should be cautious about downloading executables or archives from unknown sources, especially those offering products that are too good to be true.
