Malicious actors are distributing malware under the guise of free access to paywall-protected OnlyFans content. OnlyFans is a popular Internet content subscription platform, where visitors can pay to receive premium content from a range of different content creators such as social media personalities, musicians, and celebrities, although the 18+ subscription platform is most commonly associated with X-rated content. The malware campaign targets individuals looking to access the latter for free.

The campaign uses fake OnlyFans content and X-rated lures promising access to private photos, videos, and posts without having to pay for the content. Users are tricked into downloading an executable file, that installs a remote access Trojan. A VBScript loader is contained in a ZIP file, and if executed, will deliver a variant of the AsynchRAT called DCRAT (aka DarkCrystal) -– a remote access Trojan that provides access to the user’s device. DcRAT allows remote access, but can also access the webcam, log keystrokes, manipulate files, steal credentials, cookies, and Discord tokens, and encrypt files for extortion.

Researchers at eSentire identified the campaign after a user attempted to execute the VBscript loader, although it is currently unclear how the ZIP file containing the VBScript loader is being distributed. As such, a defense-in-depth approach is recommended to block the most likely attack vectors. Phishing emails are commonly used for distributing malware. Any email that claims to offer free access to OnlyFans is a major red flag since the site requires paid subscriptions to access content. SEO poisoning may be used to get malicious websites to appear high in the search engine results for key search terms, and malvertising – malicious adverts – may be displayed on legitimate websites through third-party ad networks that direct users to URLs where free content is offered. Compromised social media accounts may be used to post offers of free access to OnlyFans content, and SMS and instant messaging service messages may advertise the offers and include links to malicious websites.

All of these ways of making contact with users can be combatted through phishing and security awareness training using the SafeTitan platform. SafeTitan includes an extensive library of training content for creating security awareness training programs to improve awareness of threats, teach security best practices, and train users how to identify phishing attempts. The platform also includes a phishing simulator for testing responses to phishing attacks, including phishing attempts with OnlyFans-related lures.

Email security solutions should be implemented to block any phishing attempts. SpamTitan incorporates signature and behavior-based detection mechanisms for identifying malicious attachments, link scanning, and machine learning capabilities to identify zero-day phishing attacks. WebTitan Cloud can be used to improve protection against web-based attacks, such as malicious file downloads from malicious and compromised websites and to prevent access to risky categories of websites and websites that serve no work purpose. IT admins should also consider implementing restrictions for script files, such as blocking VBScript and JavaScript from launching downloaded executable content or using Group Policy Management Console to create open with parameters for script files to ensure they are opened with notepad.exe. These measures will not only be effective at blocking this OnlyFans campaign but also for blocking attempts by other malicious actors to install malware and ransomware.