• Sun. Oct 15th, 2023

OnlyFans Pics Used to Spread a Malware

Avatar photo


Jul 13, 2023
OnlyFans Pics Used to Spread a Malware

The well-known subscription-only platform OnlyFans makes private photos, videos, and posts from a number of adult models, famous people, and internet leaders available to users.

The website draws hackers attempting to get illicit access to information that is meant for purchase as a result of its popularity and widespread use.

Threat actors have already used OnlyFans’ reputation to further their nefarious purposes, so this is not a new development. Open redirect flaw on a UK state website was used by attackers in January 2023 to link users to fake OnlyFans websites.

The campaign has been active since January 2023, according to eSentire’s recent discovery. Under the guise of gaining access to premium OnlyFans collections, it entails the distribution of ZIP files that trick victims into manually running a VBScript loader.

Although the exact chain of infection is yet unknown, possible vectors include malicious forum postings, instant messaging, malvertising, or even Black SEO sites that rank well for certain search phrases. One instance, provided by Eclypsium, poses as explicit images of Mia Khalifa, a former adult film star.

VBScript Loader and DcRAT: Malicious Techniques and Capabilities

The VBScript loader employed is a slightly changed and encoded copy of a script utilized in a Splunk-discovered 2021 campaign; the original script was a Windows printing script that underwent just minor changes.

Before removing a built-in DLL file called “dynwrapx.dll” and enrolling the DLL using the Regsvr32.exe command, the loader first establishes the operating system architecture.

The application DynamicWrapperX, which permits contacting Windows API or other DLL file functions, is now accessible to the malware.

In the end, the legitimate ‘RegAsm.exe’ process, a component of the.NET Framework that is less likely to be discovered by antivirus software, gets infected with the payload, termed ‘BinaryData,’ which has been loaded into memory.

DcRAT, an altered form of the popular AsyncRAT that the original developer abandoned due to online allegations of misuse, is the implanted payload.

DcRAT does malicious acts such as keylogging, video surveillance, file modification, and remote access. Additionally, it has the ability to steal login data, browser cookies, and Discord tokens.

The DcRAT-bundled ransomware plugin may additionally encrypt non-system files and append the “.DcRat” suffix to the secret information.

Use caution to guarantee your safety while downloading files or executables from suspicious websites, especially those that encourage unauthorized access to premium or paid content.