Hackers use fake OnlyFans pics to drop info-stealing malware


A malware campaign is using fake OnlyFans content and adult lures to install a remote access trojan known as ‘DcRAT,’ allowing threat actors to steal data and credentials or deploy ransomware on the infected device.

OnlyFans is a content subscription service where paid subscribers can access private photos, videos, and posts from adult models, celebrities, and social media personalities.

It is a widely used site and a highly recognizable name, so it can act as a magnet for people looking to access paid content for free.

This is not the first time threat actors have taken advantage of OnlyFans to achieve their malicious goals, as in January 2023, attackers abused an open redirect on a UK state site to direct visitors to fake OnlyFans sites.

The new campaign discovered by eSentire has been underway since January 2023, spreading ZIP files that contain a VBScript loader the victim is tricked into executing manually, thinking they’re about to access premium OnlyFans collections.

The infection chain is unknown, but it might be malicious forum posts, instant messages, malvertising, or even Black SEO sites that rank high in specific search terms. A sample shared by Eclypsium pretends to be nude photos of former adult film actress Mia Khalifa.

The VBScript loader is a minimally modified and obfuscated version of a script observed in a 2021 campaign discovered by Splunk, which was a slightly modified Windows printing script.

Obfuscated shellcode
Obfuscated shellcode (eSentire)

When launched, it checks the OS architecture using WMI and spawns a 32-bit process as required for the following steps, extracts an embedded DLL file (“dynwrapx.dll”), and registers the DLL with the Regsvr32.exe command.

This gives the malware access to DynamicWrapperX, a tool that enables calling functions from the Windows API or other DLL files.

Ultimately, the payload, named ‘BinaryData,’ is loaded into memory and injected into the ‘RegAsm.exe’ process, a legitimate part of the .NET Framework less likely to be flagged by AV tools.

Injecting the payload into a legitimate process
Injecting the payload into a legitimate process (eSentire)

The injected payload is DcRAT, a modified version of AsyncRAT that is freely available on GitHub and which its author abandoned after several abuse cases surfaced online.

One of these cases comes from October 2021, when a politically-themed threat actor dropped it onto compromised systems along with several other malware families.

DcRAT performs keylogging, webcam monitoring, file manipulation, and remote access, and it can also steal credentials and cookies from web browsers or snatch Discord tokens.

Additionally, DcRAT features a ransomware plugin that targets all non-system files and appends the “.DcRat” filename extension onto encrypted files.

It is important to exercise caution when downloading archives or executables from dubious sources, especially those offering free access to premium/paid content.



Source link