Cyber Security News

AsyncRAT Abusing Python and TryCloudflare For Stealthy Malware Delivery

In a significant finding, Forcepoint’s X-Labs research team has uncovered a new malware campaign that uses AsyncRAT, a notorious remote access trojan (RAT), along with Python scripting and TryCloudflare tunnels to deliver malicious payloads with enhanced stealth.

This campaign highlights an evolving trend of adversaries exploiting legitimate infrastructure to cloak their attacks, reinforcing predictions from recent cybersecurity insights.

AsyncRAT, known for its asynchronous communication capabilities, enables attackers to control compromised systems, exfiltrate sensitive data, and execute commands undetected.

In this campaign, adversaries utilize phishing emails, TryCloudflare URLs, and a series of chained obfuscated scripts to bypass security mechanisms and deliver their payload via Python-based modules.

AsyncRATAsyncRAT
AsyncRAT phishing email

Decoding Complexity

The infection chain begins with a phishing email containing a Dropbox URL, which downloads a ZIP file.

This ZIP file includes an internet shortcut file (.URL) that redirects to a malicious TryCloudflare-hosted link.

Actual malicious files

The attack progresses through various stages:

  1. URL File: The .URL shortcut leads to an .LNK file hosted on a TryCloudflare directory.
  2. LNK & JavaScript: The .LNK file triggers PowerShell scripts to download a highly obfuscated JavaScript (.JS) file.
  3. Batch File: The .BAT file uses PowerShell commands to download another ZIP file containing a Python script and other components.
  4. Python Script: The extracted Python script (load.py) executes malicious shellcode contained in accompanying .BIN files.

Python’s Role and Early Bird Injection

The Python script (load.py) is at the heart of the campaign’s payload delivery mechanism.

It leverages the ctypes library for functions like memory allocation, process creation, and code injection.

The attackers employ the “Early Bird APC Queue” injection technique, a sophisticated method that allows malicious code execution during the initialization phase of legitimate processes, thereby evading detection by traditional endpoint security solutions.

The payload communicates with its command-and-control (C2) servers at IP addresses such as 62.60.190.141, operating over non-standard ports like 3232 and 4056.

These C2 channels facilitate data exfiltration and remote command execution, completing the attacker’s control over the infected host.

This campaign demonstrates how malicious actors weaponize legitimate platforms like Dropbox and TryCloudflare to create low-cost, high-efficacy attack chains.

By employing multiple layers of obfuscation, legitimate-looking files, and trusted infrastructure, the attackers effectively bypass traditional defenses.

ForcePoint research underscores the importance of multi-layered defenses and proactive threat intelligence.

As attacks leveraging low-cost, open infrastructure grow in sophistication, organizations must adopt advanced detection and mitigation techniques to stay ahead of emerging threats.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Researchers Turn the Tables: Scamming the Scammers in Telegram’s PigButchering Scheme

Cybersecurity specialists have devised an innovative approach to combat an emerging cybercrime called "PigButchering" on…

32 minutes ago

New Spam Campaign Leverages Remote Monitoring Tools to Exploit Organizations

A sophisticated spam campaign targeting Portuguese-speaking users in Brazil has been uncovered by Cisco Talos,…

41 minutes ago

New Attack Exploits X/Twitter Ad URL Feature to Deceive Users

Silent Push Threat Analysts have recently exposed a sophisticated financial scam leveraging a vulnerability in…

46 minutes ago

Guess Which Browser Tops the List for Data Collection!

Google Chrome has emerged as the undisputed champion of data collection among 10 popular web…

49 minutes ago

DOGE Big Balls Ransomware Leverages Open-Source Tools and Custom Scripts for Multi-Stage Attacks

A recent discovery by Netskope Threat Labs has brought to light a highly complex ransomware…

1 hour ago

Ransomware-as-a-Service (RaaS) Emerges as a Leading Framework for Cyberattacks

Ransomware-as-a-Service (RaaS) has solidified its position as the dominant framework driving ransomware attacks in 2024,…

1 hour ago