OnlyDcRatFans: Malware Distributed Using Explicit Lures of OnlyFans…

MITRE Techniques

• [T1566.001] Phishing – Lure-based distribution via OnlyFans content; “In observed instances, victims were lured into downloading Zip files containing a VBScript loader which is executed manually.”
• [T1059.005] VBScript – The VBScript loader is used to decode and load the payload; “The loader (MD5 43876a44cc7736ff6432cb5d14c844fe) is a slightly modified version of this VBScript file analyzed by Splunk in 2021.”
• [T1218.011] Regsvr32 – The loader extracts embedded dynwrapx.dll and registers it using Regsvr32 to gain access to DynamicWrapperX; “registers it using Regsvr32 to gain access to DynamicWrapperX.”
• [T1055] Process Injection – The payload is loaded into memory and injected into RegAsm.exe; “loads the payload (BinaryData) into memory then calls CallWindowProcW to execute the shellcode, ultimately injecting the payload into Microsoft.NETFrameworkv4.0.30319RegAsm.exe.”
• [T1082] System Information Discovery – The loader checks the OS architecture using WMI; “Checks the OS (Operating Systems) architecture using WMI.”
• [T1056.001] Keylogging – DcRAT includes keylogging as part of its capabilities; “Beyond baseline capabilities such as keylogging, remote access, webcam monitoring, and file manipulation…”
• [T1555.003] Credentials in Browser – DcRAT includes browser credential and cookie stealing; “a browser credential and cookie stealer, a Discord token stealer and ransomware plugin…”
• [T1486] Data Encrypted for Impact – The ransomware plugin encrypts non-system files and appends “.DcRat” to filenames; “The ransomware plugin encrypts non-system files and appends “.DcRat” to the filename.”