Caught with their pants down: RATs disguised as free OnlyFans content

Hackers are harnessing the draw of OnlyFans by using fake “free” content to draw in users and fool them into installing a remote access Trojan (RAT).

OnlyFans, which is a paid service that allows subscribers access to private sexual content from adult creators, as well as exclusive photos and videos from celebrities and online personalities, is widely used, making the promise of free content an attractive prospect for many.

Those who fall for the malware campaign’s trap will find themselves installing a RAT called DcRAT (not to be confused with Dark Crystal RAT), which is a modified version of the AsyncRAT.

The malware is capable of keylogging, engaging remote desktop control, webcam access, file manipulation and monitoring devices through a secure encrypted connection.

============

The malware campaign was discovered by cyber security organisation eSentire, which has pointed out that the nature of the hack is rather unsophisticated, requiring manual execution and relying on tempting naming conventions.

“In observed instances, victims were lured into downloading Zip files containing a VBScript loader which is executed manually,” said eSentire.

“File naming convention suggest the victims were lured using explicit photos or OnlyFans content for various adult film actresses.”

The report said that it is currently unknown how the Zip files were delivered to victims, but it said that activity had been detected as early as January 2023 and as recently as 4 June 2023. It is not unlikely that hackers posted the content to targeted forums or messaged potential users directly.

eSentire outlines the process that the VBScript loader goes through to inject the malware into a victim’s system.

VIEW ALL

“The payload, dynwrapx.dll, and shellcode are embedded within the file and are hex encoded, reversed, and padded with junk characters. The strings are reversed, and the extra characters replaced during runtime.
“Checks the OS (operating systems) architecture using WMI (Windows Management Instrumentation) and spawns a new 32-bit process if necessary.
“Extracts the embedded dynwrapx.dll file, decodes it and registers it using Regsvr32 to gain access to DynamicWrapperX object.
“Uses the object to load CallWindowProcW from user32.dll and VirtualAlloc from kernel32.dll.
“Loads the payload (BinaryData) into memory then calls CallWindowProcW to execute the shellcode, ultimately injecting the payload into \Microsoft.NET\Framework\v4.0.30319\RegAsm.exe.”

Threat actors had used OnlyFans as a lure before, after hackers abused an open redirect on the United Kingdom’s Department for Environment, Food and Rural Affairs website to send traffic to fake adult OnlyFans dating websites.

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it

newsletter

Be the first to hear the latest developments in the cyber industry.

Caught with their pants down: RATs disguised as free OnlyFans content

Daniel Croft

Introducing Cyber Daily, the new name for Cyber Security Connect

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED