An investigation has been conducted into a malicious campaign that targeted smartphone users. The OnlyFans content being distributed is a fake version of OnlyFans' content. This is used in this campaign to infect victims' devices with malware called DcRAT. This steals data and credentials on the device or encrypts it with a ransom note. Considering that the campaign has been running since January 2023, it is one of the highest risks to users' devices and personal information.
The subscription service OnlyFans provides paid subscribers access to private photos, videos, and posts posted by celebrities, adult models, and social media personalities. This is done through a private area of their website.
As one of the most popular websites out there with a well-known name, it can prove to be a magnet for those seeking free access to paid content as it caters to a broad audience.
eSentire has discovered an upcoming campaign that was recently launched and has been running since January 2023. In other words, this program spreads ZIP files containing VBScript loaders. These loaders are tricked into being executed by the victim, believing that they are about to unlock premium collections of OnlyFans by manually executing the loader.
There is a lack of information on the infection chain. However, suspects speculate it could be malicious forum posts, instant messages, spam, or even Black SEO sites that appear high on search engines for certain keywords. Eclypsium has shared nude pictures of actress Mia Khalifa who previously appeared in adult films.
There is a minimally modified and obfuscated version of the VBScript loader found in a 2021 campaign that Splunk discovered. There was a slight modification to the original Windows printing script to create this script.
It was the cybersecurity firm eSentire, a leading entity in the cybersecurity industry, that noticed this threat at the outset. During an investigation conducted by the company's Threat Response Unit (TRU), the company discovered the presence of DcRAT, a variant of the widely used AsyncRAT, in a customer's system, which is utilized for consumer services. With the ability to steal information and encrypt files, DcRAT is a powerful remote access tool that can be used to gain remote access.
A central part of the campaign's methodology is to lure victims with explicit OnlyFans content. This is done by targeting specific users who engage with adult-oriented materials and targeting them with sexual content. A VBScript loader is downloaded in ZIP files and then manually executed by the victims after downloading the ZIP files. According to them, this will allow them to access premium content available only through OnlyFans.
There's no way they know that this action triggers the installation of the DcRAT Trojan. This grants hackers full remote access to their devices without them knowing it.
Several threats present themselves to compromised systems if they are infected with DcRAT. Using this program, one can monitor webcams, alter files, remotely access devices, and steal web browser credentials and Discord tokens. In addition, one can monitor their web browser's cookies.
Further in the report, it was revealed that DcRAT is capable of logging keystrokes, monitoring webcams, manipulating files, and allowing remote access over the internet. In addition to stealing web browser credentials, it is also capable of stealing Discord tokens and cookies from a web browser. The dcRAT tool also enables a ransomware plugin to target all non-system files and append a ransomware file. DcRat file extensions are associated with encrypted files, implying encryption.
In the meantime, researchers have observed an increase in malware written for the Android platform that attempts to pretend to be the popular AI chatbot ChatGPT application. Those who use smartphones are the ones who are targeted by this malware.
Researchers from Palo Alto Networks Unit 42 reported that these malware variants emerged with OpenAI's GPT-3.5 and GPT-4 tools. This led to the infection of those interested in using ChatGPT.
Additionally, the DcRAT malware also comes with a ransomware plugin that encrypts non-system files and makes them unusable without the decryption key, which is typically held for ransom by threat actors.
Though the exact method of infection remains unclear, experts speculate that malicious forum posts, instant messages, and search engine optimization techniques may serve as potential vectors of attack. Malvertising and search engine optimization techniques stand out as other possible attack vectors. Considering this, it becomes necessary for users to exercise caution when browsing the internet, avoid unfamiliar links, and stay vigilant while interacting with suspicious individuals on the internet.
Several proactive measures can be taken to mitigate the risks associated with this malware campaign recommended by eSentire's Threat Research Unit (TRU). The user is advised to go through Phishing and Security Awareness Training (PSAT), to become aware of the most common types of potentially malicious content and report it appropriately.
In addition, it is recommended that script files, such as .vbs files, should be restricted from execution at all times. Also, it is recommended to configure systems so that script files can be opened with trusted applications such as Notepad so that they are not corrupted.
It is also critically important to keep your antivirus signatures up-to-date and to use scanners that are capable of providing Next-Generation Antivirus (NGAV) or Endpoint Detection and Response (EDR) protection in addition to your regular antivirus programs to protect against emerging threats. Users also have to ensure that their devices are regularly updated, as security patches are often included in updates.