Description
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python scripts containing base64-encoded shellcode. The malware injects itself into legitimate processes like notepad.exe and connects to various C2 servers. This campaign primarily targets health, travel, and banking sectors through phishing emails. The use of Python packages allows attackers to compromise systems even without pre-installed Python applications, while exploiting TryCloudflare's temporary infrastructure opens new attack vectors.
Date
| Published | Created | Modified |
|---|---|---|
| Oct. 4, 2024, 10:23 a.m. | Oct. 4, 2024, 10:23 a.m. | Oct. 4, 2024, 12:42 p.m. |
Indicators
8d28191f647572d5e159f35ae55120ddf56209a18f2ca95a28d3ca9408b90d68
16a4de0540181bab7c5d25fcdf90838a28f2dff4ed9e0e37de3f5f1ab20afe0a
http://ncmomenthv.duckdns.org:8896
Attack Patterns
Xworm
AsyncRAT
T1059.006
T1059.001
T1547.001
T1573
T1071
T1055
T1204
T1140
T1027
T1566
Additional Informations
Healthcare
Transportation
Finance