AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again
Summary:
The Forcepoint X-Labs research team recently uncovered an AsyncRAT malware campaign that leverages malicious payloads delivered via TryCloudflare quick tunnels and Python packages. The attack begins with a phishing email containing a Dropbox link. When clicked, it downloads a ZIP file that includes an internet shortcut (.URL file). Opening this shortcut triggers a chain of events, first leading to a .LNK file, then a JavaScript file, which calls a .BAT file hosting malicious content. This eventually delivers another ZIP file containing a Python script that executes the AsyncRAT malware. For its part, AsyncRAT is a remote access trojan that uses the async/await pattern for efficient, asynchronous communication. It enables attackers to remotely control infected systems, exfiltrate data, and execute commands while staying undetected.
Security Officer Comments:
The latest campaign employs heavy obfuscation and legitimate services like Dropbox and TryCloudflare to avoid detection and analysis. According to researchers, when a user clicks on the .LNK file, it triggers PowerShell to download a JavaScript file from a TryCloudflare tunnel, using another directory on the same site.
TryCloudflare is a service offered by Cloudflare that enables users to expose their web servers to the internet without needing to open any ports on their network. It works by creating a dedicated subdomain on trycloudflare[.]com, which acts as a proxy to route traffic securely to the web server. This setup allows the server to be accessible from the internet while protecting the original infrastructure by obscuring the server’s IP address. The service is often used for testing and development purposes, but it can also be exploited by malicious actors to hide their infrastructure and evade detection as seen in the recent campaign.
Suggested Corrections:
End users should refrain from clicking on links or opening attachments from unknown or untrusted sources. As attackers are utilizing Python scripts for malware delivery, organizations should restrict Python usage unless it's essential for employees' tasks. Additionally, organizations should block or closely monitor traffic to suspicious or untrusted TryCloudflare subdomains and enforce strict URL filtering to prevent access to malicious tunnels. Endpoint security tools should also be implemented to detect and block the execution of harmful files or scripts delivered through these tunnels.
Link(s):
https://www.forcepoint.com/blog/x-labs/asyncrat-reloaded-python-trycloudflare-malware
The Forcepoint X-Labs research team recently uncovered an AsyncRAT malware campaign that leverages malicious payloads delivered via TryCloudflare quick tunnels and Python packages. The attack begins with a phishing email containing a Dropbox link. When clicked, it downloads a ZIP file that includes an internet shortcut (.URL file). Opening this shortcut triggers a chain of events, first leading to a .LNK file, then a JavaScript file, which calls a .BAT file hosting malicious content. This eventually delivers another ZIP file containing a Python script that executes the AsyncRAT malware. For its part, AsyncRAT is a remote access trojan that uses the async/await pattern for efficient, asynchronous communication. It enables attackers to remotely control infected systems, exfiltrate data, and execute commands while staying undetected.
Security Officer Comments:
The latest campaign employs heavy obfuscation and legitimate services like Dropbox and TryCloudflare to avoid detection and analysis. According to researchers, when a user clicks on the .LNK file, it triggers PowerShell to download a JavaScript file from a TryCloudflare tunnel, using another directory on the same site.
TryCloudflare is a service offered by Cloudflare that enables users to expose their web servers to the internet without needing to open any ports on their network. It works by creating a dedicated subdomain on trycloudflare[.]com, which acts as a proxy to route traffic securely to the web server. This setup allows the server to be accessible from the internet while protecting the original infrastructure by obscuring the server’s IP address. The service is often used for testing and development purposes, but it can also be exploited by malicious actors to hide their infrastructure and evade detection as seen in the recent campaign.
Suggested Corrections:
End users should refrain from clicking on links or opening attachments from unknown or untrusted sources. As attackers are utilizing Python scripts for malware delivery, organizations should restrict Python usage unless it's essential for employees' tasks. Additionally, organizations should block or closely monitor traffic to suspicious or untrusted TryCloudflare subdomains and enforce strict URL filtering to prevent access to malicious tunnels. Endpoint security tools should also be implemented to detect and block the execution of harmful files or scripts delivered through these tunnels.
Link(s):
https://www.forcepoint.com/blog/x-labs/asyncrat-reloaded-python-trycloudflare-malware