Fake OnlyFans content is luring users into installing malware
A dangerous RAT could infect victims and cause all sorts of problems
Adult-oriented subscription service OnlyFans has been hit with a new malware campaign that sees fake content being used to infect users' devices with a Remote Access Trojan (RAT).
Security firm eSentire discovered the operation, which has been ongoing since the start of this year. ZIP files are distributed that contain a VBScript loader that users unwittingly activate when they think they are getting access to premium OnlyFans content.
It is not known exactly what the initial attack vector is that lures victims, but there are suggestions that it could be forum posts, instant messages, malvertising links or Black SEO sites that rank near the top of search results for certain terms.
DcRAT
The OnlyFans brand has been used before by threat actors, including in January 2023, where hackers abused an open redirect link on an official UK government website to direct users to a fake version of the site.
In this new campaign, the payload has been dubbed DcRAT, which is a modified version of the freely available AsyncRAT on GitHub, although the author has since abandoned after it was being abused.
When the VBScript loader is activated, it extracts and registers 'dynwrapx.dll', which grants access to the DynamicWrapperX, which in turn enables calling functions from the Windows API and other DLLs.
Something called 'BinaryData' is then loaded into 'RegAsm.exe', a legitimate process part of the .NET Framework, meaning it is less likely to be flagged by antivirus software. This is what delivers the DcRAT.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
DcRAT can then perform various malicious actions, including keylogging, monitoring webcams, manipulating files, stealing credentials and browser cookies, and remotely accessing your device.
It also contains a ransomware plugin that affects all non-system files and encrypts them with the .DcRAT file extension, making them inaccessible to the user without the decryption key, which the threat actors will hold you to ransom for.
- Get yourself the best firewall to protect against threats
Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks.
His area of expertise lies in computer peripherals and audio hardware, including speakers and headphones, having spent over a decade exploring the murky depths of audio production and PC building. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.
Chip firm founded by ex-Intel president plans massive 256-core CPU to surf AI inference wave and give Nvidia B100 a run for its money — Ampere Computing AmpereOne-3 likely to support PCIe 6.0 and DDR5 tech
Millions of devices still connect to this dangerous malware, despite the creators ditching it years ago