AsyncRAT Abusing Python and TryCloudflare For Stealthy Malware Delivery

In a significant finding, Forcepoint’s X-Labs research team has uncovered a new malware campaign that uses AsyncRAT, a notorious remote access trojan (RAT), along with Python scripting and TryCloudflare tunnels to deliver malicious payloads with enhanced stealth.

This campaign highlights an evolving trend of adversaries exploiting legitimate infrastructure to cloak their attacks, reinforcing predictions from recent cybersecurity insights.

AsyncRAT, known for its asynchronous communication capabilities, enables attackers to control compromised systems, exfiltrate sensitive data, and execute commands undetected.

In this campaign, adversaries utilize phishing emails, TryCloudflare URLs, and a series of chained obfuscated scripts to bypass security mechanisms and deliver their payload via Python-based modules.

Decoding Complexity

The infection chain begins with a phishing email containing a Dropbox URL, which downloads a ZIP file.

This ZIP file includes an internet shortcut file (.URL) that redirects to a malicious TryCloudflare-hosted link.

The attack progresses through various stages:

1. URL File: The .URL shortcut leads to an .LNK file hosted on a TryCloudflare directory.
2. LNK & JavaScript: The .LNK file triggers PowerShell scripts to download a highly obfuscated JavaScript (.JS) file.
3. Batch File: The .BAT file uses PowerShell commands to download another ZIP file containing a Python script and other components.
4. Python Script: The extracted Python script (load.py) executes malicious shellcode contained in accompanying .BIN files.

Python’s Role and Early Bird Injection

The Python script (load.py) is at the heart of the campaign’s payload delivery mechanism.

It leverages the ctypes library for functions like memory allocation, process creation, and code injection.

The attackers employ the “Early Bird APC Queue” injection technique, a sophisticated method that allows malicious code execution during the initialization phase of legitimate processes, thereby evading detection by traditional endpoint security solutions.

The payload communicates with its command-and-control (C2) servers at IP addresses such as 62.60.190.141, operating over non-standard ports like 3232 and 4056.

These C2 channels facilitate data exfiltration and remote command execution, completing the attacker’s control over the infected host.

This campaign demonstrates how malicious actors weaponize legitimate platforms like Dropbox and TryCloudflare to create low-cost, high-efficacy attack chains.

By employing multiple layers of obfuscation, legitimate-looking files, and trusted infrastructure, the attackers effectively bypass traditional defenses.

ForcePoint research underscores the importance of multi-layered defenses and proactive threat intelligence.

As attacks leveraging low-cost, open infrastructure grow in sophistication, organizations must adopt advanced detection and mitigation techniques to stay ahead of emerging threats.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free