Trojan DcRat Spreading through OnlyFan Fake Pictures

A malicious campaign uses counterfeit OnlyFans material and adult enticements to install a remote access trojan called ‘DcRAT,’ allowing hackers to steal data and login information or deploy ransomware on the infected device.

Source: Twitter

Do you know OnyFans?

OnlyFans is a subscription-based content service where users pay to access private photos, videos, and posts from adult models, celebrities, and famous social media personalities.

Due to its widespread usage and recognizable name, it has become an attractive target for individuals seeking to access paid content without paying.

Previous analysis

This is not the first time cybercriminals have exploited OnlyFans to achieve their malicious objectives. In January 2023, attackers took advantage of an open redirect on a UK government website to redirect visitors to fake OnlyFans sites.

Fake link used to redirect visitors

Cybersecurity researchers have shed light on an actively maintained remote access trojan called DCRat (aka DarkCrystal RAT) that's offered on sale for "dirt cheap" prices, making it accessible to professional cybercriminal groups and novice actors alike.

— Johnny Heintz (@Jorune00) May 9, 2022

The recently discovered campaign, identified by eSentire, has been active since January 2023. It spreads ZIP files containing a VBScript loader, which victims are deceived into manually executing, thinking they will gain access to exclusive OnlyFans collections.

Source: Morphisec

Methods used to attack

The exact form of infection is unknown, but it could involve 

• malicious forum posts, 
• instant messages, 
• malvertising, or even Black SEO sites that rank high in specific search terms. 
• A sample adult film star is also shared.

The VBScript loader is a slightly modified and obscured version of a script observed in a 2021 campaign discovered by Splunk. It was initially a Windows printing script adapted for this purpose.

Source: Splunk

• When executed, the script checks the operating system architecture using WMI and spawns a 32-bit process if necessary. It then extracts a hidden DLL file (“dynwrapx.dll”) and registers the DLL using the Regsvr32.exe command.

• This grants the malware access to DynamicWrapperX, which allows it to call functions from the Windows API or other DLL files.

• Eventually, the payload, named ‘BinaryData,’ is loaded into memory and injected into the ‘RegAsm.exe’ process, a legitimate component of the .NET Framework and less likely to trigger antivirus tools.

“The injected payload is DcRAT, a modified version of AsyncRAT. The original version of AsyncRAT was freely available on GitHub but was abandoned by its creator due to multiple instances of misuse,” says eSentire.

What is DcRAT capable of doing?

• DcRAT is capable of keylogging, monitoring webcams, manipulating files, and establishing remote access. It can also steal login credentials and cookies from web browsers and Discord tokens.

• DcRAT incorporates a ransomware plugin that targets all non-system files, encrypting them and appending the “.DcRat” extension to the encrypted files.

What’s in hand

Learning about malware, trojans, and viruses is a reminder every time that you must never ignore your digital security. Using anti-virus software, restraining clicking on suspicious links and sharing your personal information are some preventive measures you should always employ. Keep safety your priority!