In a significant finding, Forcepoint’s X-Labs research team has uncovered a new malware campaign that uses AsyncRAT, a notorious remote access trojan (RAT), along with Python scripting and TryCloudflare tunnels to deliver malicious payloads with enhanced stealth.
This campaign highlights an evolving trend of adversaries exploiting legitimate infrastructure to cloak their attacks, reinforcing predictions from recent cybersecurity insights.
AsyncRAT, known for its asynchronous communication capabilities, enables attackers to control compromised systems, exfiltrate sensitive data, and execute commands undetected.
In this campaign, adversaries utilize phishing emails, TryCloudflare URLs, and a series of chained obfuscated scripts to bypass security mechanisms and deliver their payload via Python-based modules.
The infection chain begins with a phishing email containing a Dropbox URL, which downloads a ZIP file.
This ZIP file includes an internet shortcut file (.URL) that redirects to a malicious TryCloudflare-hosted link.
The attack progresses through various stages:
load.py
) executes malicious shellcode contained in accompanying .BIN files. The Python script (load.py
) is at the heart of the campaign’s payload delivery mechanism.
It leverages the ctypes
library for functions like memory allocation, process creation, and code injection.
The attackers employ the “Early Bird APC Queue” injection technique, a sophisticated method that allows malicious code execution during the initialization phase of legitimate processes, thereby evading detection by traditional endpoint security solutions.
The payload communicates with its command-and-control (C2) servers at IP addresses such as 62.60.190.141
, operating over non-standard ports like 3232 and 4056.
These C2 channels facilitate data exfiltration and remote command execution, completing the attacker’s control over the infected host.
This campaign demonstrates how malicious actors weaponize legitimate platforms like Dropbox and TryCloudflare to create low-cost, high-efficacy attack chains.
By employing multiple layers of obfuscation, legitimate-looking files, and trusted infrastructure, the attackers effectively bypass traditional defenses.
ForcePoint research underscores the importance of multi-layered defenses and proactive threat intelligence.
As attacks leveraging low-cost, open infrastructure grow in sophistication, organizations must adopt advanced detection and mitigation techniques to stay ahead of emerging threats.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Cado Security Labs has identified a sophisticated cryptomining campaign exploiting misconfigured Jupyter Notebooks, targeting both…
Amazon Web Services' Simple Notification Service (AWS SNS) is a versatile cloud-based pub/sub service that…
A recent alert from the Akamai Security Intelligence and Response Team (SIRT) has highlighted the…
Cisco has issued a security advisory warning of a vulnerability in its IOS XR Software…
The increasing popularity of generative artificial intelligence (GenAI) tools, such as OpenAI’s ChatGPT and Google’s…
Microsoft researchers have uncovered a surprisingly straightforward method that can bypass safety guardrails in most…