Hackers Drop Info-Stealing Malware Using Fake OnlyFans Pics

Hackers have launched a malware campaign targeting the popular adult content subscription service, OnlyFans using fake OnlyFans content and adult lures to steal data and deploy ransomware on infected devices.

The malware campaign was discovered by eSentire, which stated in its findings that “In May 2023, we identified DcRAT, a clone of AsyncRAT, at a consumer services customer. DcRAT is a remote access tool with info-stealing and ransomware capabilities. The malware is actively distributed using explicit lures for OnlyFans pages and other adult content.”

Since January 2023, hackers have been distributing ZIP files containing a VBScript loader, cleverly disguised as premium OnlyFans collections. Enticed by the promise of accessing exclusive content for free, victims manually execute the loader, installing the DcRat malware onto their systems.

OnlyFans, renowned for its private adult content offered by models, celebrities, and influencers, has attracted a massive user base seeking exclusive pics. This widespread popularity has made it a prime target for individuals wanting to access such content without paying, ultimately falling victim to hackers' nefarious activities.

The precise method of infection remains unclear. Malicious forum posts, instant messages, malvertising, or even search engine optimization techniques employed by fraudulent websites could be responsible for delivering the infected ZIP files. One sample shared by Eclypsium was disguised as explicit photos of former adult film actress Mia Khalifa.

The VBScript loader, a modified and obfuscated version of a script observed in a previous campaign discovered by Splunk in 2021, cleverly evades detection. Once launched, it meticulously checks the device's operating system architecture using Windows Management Instrumentation (WMI) and proceeds to spawn a 32-bit process if necessary. Through a series of steps, the DcRAT payload is injected into the legitimate "RegAsm.exe" process, bypassing traditional antivirus tools.

DcRAT poses a significant threat to infected systems, offering keylogging, webcam monitoring, remote access, file manipulation, and even the ability to steal browser credentials, cookies, and Discord tokens. Furthermore, the malware incorporates a ransomware plugin that encrypts non-system files, appending the ".DcRAT" extension to hold victims' data hostage.

Cybersecurity experts have emphasized the importance of caution when downloading files or executables from dubious sources, particularly those claiming to offer free access to premium content. Users are urged to be vigilant and protect their devices that store personal information.

OnlyFans, cybersecurity organizations, and law enforcement agencies are actively addressing these security concerns, implementing measures to enhance user security and thwart future attacks.