In June, cybercriminals use fake OnlyFans content to deploy DcRAT. The RecordBreaker malware spreads disguised as a .NET installer. North Korea’s APT37 group launches “FadeStealer” for cyber espionage. Crysis threat actors use Remote Desktop Protocol to deploy Venus ransomware, and more. <\/p>\n\n\n\n
1. Fake OnlyFans Content Used to Deploy DcRAT Malware <\/h2>\n\n\n\n
A new malware campaign exploits<\/a> the popularity of the content subscription service, OnlyFans, by using phony content and adult lures to install a remote access trojan (RAT) named DcRAT<\/a>. <\/p>\n\n\n\n This RAT gives threat actors the ability to steal data and credentials or distribute ransomware on infected devices. The cybercriminals trick victims into executing a VBScript loader contained in a ZIP file, misleading them to believe they are accessing premium OnlyFans collections. <\/p>\n\n\n\n The infection chain for this campaign remains uncertain, but potential sources could include malicious forum posts, instant messages, malvertising, or Black SEO sites. The VBScript loader used is a minimally modified and obfuscated version of a script seen in a previous 2021 campaign. Upon launch, the loader verifies the OS architecture, extracts an embedded DLL file, and registers the DLL, gaining access to DynamicWrapperX \u2014 a tool for calling functions from Windows API or other DLL files. <\/p>\n\n\n\n Finally, the payload “BinaryData” is loaded into memory and injected into the “RegAsm.exe” process, a legitimate part of the .NET Framework less likely to be flagged by AV tools. This injected payload, DcRAT, is a modified version of AsyncRAT and has capabilities including keylogging, webcam monitoring, file manipulation, and remote access. Notably, it also has a ransomware plugin that targets all non-system files and appends the “.DcRat” filename extension to encrypted files. <\/p>\n\n\n\n![\"Analyze](\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/image-1024x554.png\")