Insights, news, education and announcements from PolySwarm

DcRAT Distributed Via Adult Content Themed Lures

Written by The Hivemind | Jun 26, 2023 5:57:42 PM

Related Families: AsyncRAT
Verticals Targeted: Consumer Services

Executive Summary

DcRAT is a clone of AsyncRAT and is used for remote access and stealing information. It also has ransomware capabilities. DcRAT has distributed via adult content-themed lures, including lures for OnlyFans pages.

Key Takeaways

  • DcRAT is a clone of AsyncRAT with remote access, infostealer, and ransomware capabilities.
  • DcRAT has distributed via adult content-themed lures, including lures for OnlyFans pages. 
  • There is evidence that DcRAT has been in the wild since at least January 2023, with related incidents as recently as June 2023. 

What is DcRAT?

eSentire recently reported on a campaign distributing DcRAT via adult content-themed lures. eSentire’s affected client was in the consumer services vertical.  While the incident eSentire reported took place in May 2023, there is evidence that DcRAT has been in the wild since at least January 2023, with related activity as recently as June 2023.

DcRAT is a clone of AsyncRAT and is used for remote access and stealing information. It also has ransomware capabilities. DcRAT has distributed via adult content-themed lures, including lures for OnlyFans pages. Lure file names suggest the victims were lured with the promise of photos or OnlyFans content for adult film actresses.

Victims of the attack were lured into downloading Zip files that contained a VBScript loader. The file must be manually executed. The VBScript loader uses a legitimate printer-related Windows script that is modified to hide the loader. The loader contains the DcRAT payload and shellcode. The payload is injected into RegAsm.exe.

While DcRAT is based on AsyncRAT, it includes multiple plugins to extend functionality. DcRAT capabilities include keylogging, remote access, webcam monitoring, file manipulation, a stealer that targets browser credentials and cookies, a Discord token stealer, and a ransomware plugin. Files encrypted by the ransomware plugin are appended with the DcRat extension. The ransomware plugin also drops a ransom note.

IOCs

PolySwarm has multiple samples associated with DcRAT.

 

Da642fc983f09b106c32181f7e66d0cad426924650594ca613e5ce5b25b71493

2d2211d9266e7080e6e12d150829935a3f0794e4d499199f9c7480de02b458d7

c344723295279aaaf2a4220a77d74db903985264cf3adfba5015f9f31f0dddec

 

You can use the following CLI command to search for all DcRAT samples in our portal:

$ polyswarm link list -f DcRAT

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

 
View full post