A malware campaign exploits the interest aroused by Onlyfans to install a Trojan horse on users’ devices that allows the recovery of personal data… or even more.
Make Onlyfans users believe that they will be able to access a batch of explicit, normally paid content for free after opening a compressed folder on their device. In short, it’s the trick used by hackers to actually install a Trojan horse on the smartphones, tablets or PCs of tricked people. Dubbed “DcRAT”, this malware then allows remote access with the aim of stealing credentials, personal data or even deploying ransomware on the infected device.
A method as old as the world…
As pointed out Bleeping Computer, this malware campaign was first discovered by eSentire researchers, and appears to have been running since January 2023. The modus operandi is simple: share ZIP files containing a VBScript program (a Windows printing script modified for malicious). Victims think they download and then open a folder containing premium collections of OnlyFans content. In fact, manually opening this file allows the installation of the DcRAT malware mentioned above. The device used is then infected.
eSentire explains that at this stage the chain of infection is still unknown. Logically, however, users are confronted with this ZIP file after searching by keywords on some specialized forums or simply by instant messaging.
An example shared by Eclypsium is also quite evocative, the malicious ZIP file being titled “IMG_Mia_Khalifa_Nuds_Phtos.zip”. Fooled users download and then open this file thinking they are accessing explicit photos of a former porn actress, when it contains everything needed to compromise their device for quite a while.
What happens once the malware is installed?
In detail, once VBScript is executed, the latter “ verifies the OS architecture using WMI, then launches a 32-bit process as required for the next steps. It then extracts an embedded DLL file (“dynwrapx.dll”) and registers the DLL using the Regsvr32.exe command “, explain Bleeping Computer.
” The malicious software thus has access to DynamicWrapperX, a tool which makes it possible to call functions of the Windows API or other DLL files. Finally, the payload, named “BinaryData”, is loaded into memory and injected into the “RegAsm.exe” process, a legitimate part of the .NET framework less likely to be spotted by AV tools. “, we read.
DcRAT, meanwhile, can then proceed remotely to the recording of keyboard keys, but also to the monitoring of the webcam, to the manipulation of certain files. It can also steal credentials, view your cookies on web browsers, or grab tokens on Discord…among other things.
Source : Bleeping Computer
0