Threat actors have been distributing the DcRAT information-stealing malware, a modified AsyncRAT
variant, through fraudulent lures for adult content subscription service OnlyFans and other adult content since January, according to BleepingComputer
Victims have been tricked to download ZIP files with a VBScript loader resembling a slightly modified Windows printing script used in a 2021 campaign, which when launched would prompt examination of the OS architecture before facilitating embedded DLL file extraction and enabling access to the DynamicWrapperX tool, a report from eSentire showed.
Researchers found that the BinaryData payload is then loaded into memory, with DcRAT then injected into the legitimate "RegAsm.exe" process that eludes antivirus system scanning.
Aside from featuring keylogging, file modification, webcam monitoring, and remote access capabilities, DcRAT could also enable browser credential and cookie theft and Discord token exfiltration, as well as encrypt all non-system files through a ransomware plugin.