Scroll Top

New DcRAT malware poses serious threat to users; Targets OnlyFans and adult content enthusiasts


New DcRAT malware poses serious threat to users; Targets OnlyFans and adult content enthusiasts
Clone of malicious Remote Access Tool (RAT) discovered; Users urged to stay vigilant

Experts have recently uncovered a new strain of malware called DcRAT, which is a clone of the notorious #AsyncRAT remote access tool. This malicious software poses a significant danger to users, as it is actively distributed using explicit lures, specifically targeting OnlyFans and adult content enthusiasts.

The modus operandi of this malware involves enticing victims to download Zip files containing explicit photos or supposed OnlyFans content. These seemingly harmless files, upon extraction, unleash a VBScript loader (MD5 43876a44cc7736ff6432cb5d14c844fe), which victims are tricked into manually executing. The distribution of DcRAT malware can be traced back to January 2023, with recent samples being submitted as recently as June 4th.

What makes DcRAT particularly insidious is its obfuscation techniques. The VBScript loader cleverly conceals the payload, dynwrapx.dll, and shellcode, all of which are hex encoded and reversed. This obfuscation makes it incredibly challenging to detect the malware, even for seasoned security professionals.

Once executed, the loader takes several steps to establish control over the victim’s system. It checks the operating system architecture and spawns a 32-bit process if necessary. Subsequently, it extracts dynwrapx.dll, decodes it, and registers it to gain access to DynamicWrapperX. By leveraging this object, DcRAT then proceeds to load CallWindowProcW and VirtualAlloc, laying the groundwork for its malicious activities.

DcRAT is essentially a modified version of AsyncRAT, equipped with additional plugins that expand its capabilities. These features include keylogging, remote access, webcam monitoring, file manipulation, browser credential and cookie stealing, Discord token stealing, and even ransomware functionalities. The ransomware plugin, in particular, encrypts non-system files and appends the “.DcRat” extension to their names. To compound matters, victims are confronted with an extortion note on their desktops, listing the encrypted files and demanding payment.

Identifying DcRAT can be a daunting task, as it closely resembles AsyncRAT. However, security researchers have discovered some distinguishing characteristics that can help differentiate between the two. These include the PBKDF2 salt value, decrypted configuration mutex (“DCstringRatMutexqwqdan3chun”), and X509Certificate.

To safeguard themselves against this emerging threat, users are strongly advised to exercise caution when encountering suspicious files, especially those related to adult content. Implementing robust cybersecurity measures is paramount. This includes keeping antivirus software up to date, practicing safe browsing habits, and remaining vigilant while downloading files.

As the DcRAT malware continues to evolve and pose a threat to users worldwide, it is imperative for individuals and organizations alike to remain proactive in their cybersecurity practices. By staying informed and taking necessary precautions, users can effectively mitigate the risk of falling victim to these malware attacks and safeguard their digital lives.

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.