AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again
Feb. 4, 2025, 3:14 p.m.
Tags
External References
Description
A new AsyncRAT malware campaign has been identified, utilizing malicious payloads delivered through TryCloudflare quick tunnels and Python packages. The attack chain begins with a phishing email containing a Dropbox URL, leading to a ZIP file with an internet shortcut. This triggers a series of downloads, ultimately executing AsyncRAT malware via Python scripts. The campaign employs legitimate infrastructure like Dropbox and TryCloudflare to evade detection. It uses a multi-step process involving LNK, JavaScript, and BAT files, culminating in the extraction of malicious Python scripts. The attackers use process injection techniques to inject shellcode into legitimate processes like notepad.exe and explorer.exe. This sophisticated approach highlights the evolving nature of cyber threats and the exploitation of legitimate services for malicious purposes.
Date
Published: Feb. 1, 2025, 8:19 a.m.
Created: Feb. 1, 2025, 8:19 a.m.
Modified: Feb. 4, 2025, 3:14 p.m.
Attack Patterns
VenomRat
XWorm
AsyncRAT
T1059.006
T1059.001
T1571
T1204.002
T1573
T1129
T1106
T1055
T1204
T1027
T1566