A security researcher at eSentire has discovered DcRAT, a remote access tool that resembles AsyncRAT, possessing capabilities for information theft and ransomware. This malware is presently being actively distributed through explicit bait, specifically targeting OnlyFans pages and other adult content.

The new campaign has been underway since January 2023, spreading ZIP files that contain a VBScript loader the victim is tricked into executing manually, thinking they’re about to access premium OnlyFans collections.

The infection chain is unknown, but it might be malicious forum posts, instant messages, malvertising, or even Black SEO sites that rank high in specific search terms. A sample shared by Eclypsium pretends to be nude photos of former adult film actress Mia Khalifa.

The VBScript loader is a minimally modified and obfuscated version of a script observed in a 2021 campaign discovered by Splunk, which was a slightly modified Windows printing script.

Obfuscated shellcode (eSentire)

When launched, it checks the OS architecture using WMI and spawns a 32-bit process as required for the following steps, extracts an embedded DLL file (“dynwrapx.dll”), and registers the DLL with the Regsvr32.exe command.

Buy Me A Coffee

This gives the malware access to DynamicWrapperX, a tool that enables calling functions from the Windows API or other DLL files.

Ultimately, the payload, named ‘BinaryData,’ is loaded into memory and injected into the ‘RegAsm.exe’ process, a legitimate part of the .NET Framework less likely to be flagged by AV tools.

Injecting the payload into a legitimate process (eSentire)

DcRAT performs keylogging, webcam monitoring, file manipulation, and remote access, and it can also steal credentials and cookies from web browsers or snatch Discord tokens.

READ
Russian Hacker Charged in U.S. for Orchestrating Widespread Ransomware Attacks