They use OnlyFans images to spread malware

A new malware campaign has emerged that take advantage of the popularity of OnlyFans, a subscription content platform known for adult content. Criminals distribute fake content on the platform, making users think they can access it for free. But in fact it serves distribute a trojan remote access tool (RAT) called “DcRAT”, software that allows unauthorized access to infected devices, steal sensitive data and credentials, or distribute ransomware.

The scenario is perhaps the most classic of all: the victim is lured with a promise get something for free that you would otherwise pay for, and then hits. A situation that has been repeated almost since the existence of the Internet. Nevertheless, it continues to work, which may seem surprising, but it is not, considering that there are deceptions that have been working for thousands of years.

Thus, OnlyFans is just the latest interpretation of an already known scenario: we should have already learned that if something is free, we should not trust it, but perhaps we are simply programmed to fall into certain traps.

A recent campaign discovered by eSentire has been active since January 2023. It includes distribution of ZIP files containing the VBScript loader. Victims are tricked into manually running the bootloader, believing they are accessing OnlyFans premium collections.

The exact mode of infection is currently unknown. This could be forum posting, instant messaging, malicious ads (malicious ads), or even Black SEO sites that rank high for certain search terms. An example shared by Eclypsium is a nude photo of former adult film actress Mia Khalifa.

Once launched, the program checks the architecture of the operating system and, if necessary, launches a 32-bit process. Extracts the built-in DLL named “dynwrapx.dll” and registers it using the Regsvr32.exe command. This allows the malware to use DynamicWrapperX, a tool that makes it easy to call functions from Windows APIs or other DLL files.

The payload, called “BinaryData”, is then loaded into memory and injected into the legitimate “RegAsm.exe” process, which is part of the .NET Framework. This method reduces the likelihood of being detected by antiviruses.

Input payload – DcRAT, a modified version of the AsyncRAT Trojan, old software still available on GitHub. DcRAT has several malicious features including keyboard registration, webcam monitoring, file manipulation, and remote access. It can also steal credentials, cookies from web browsers, and Discord tokens.

In addition, DcRAT includes ransomware plugins

which targets non-system files and encrypts them by adding the “.DcRat” extension to the encrypted files.

To avoid problems, discretion is always our best weapon. We need to be more aware and more attentive, perhaps we could even introduce these topics in schools. And it certainly does not hurt to install a good antivirus on your computer.
Cover image: Alanpulson