Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
Oct. 4, 2024, 12:42 p.m.
Description
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python scripts containing base64-encoded shellcode. The malware injects itself into legitimate processes like notepad.exe and connects to various C2 servers. This campaign primarily targets health, travel, and banking sectors through phishing emails. The use of Python packages allows attackers to compromise systems even without pre-installed Python applications, while exploiting TryCloudflare's temporary infrastructure opens new attack vectors.
Tags
Date
- Created: Oct. 4, 2024, 10:23 a.m.
- Published: Oct. 4, 2024, 10:23 a.m.
- Modified: Oct. 4, 2024, 12:42 p.m.
Indicators
- 8d28191f647572d5e159f35ae55120ddf56209a18f2ca95a28d3ca9408b90d68
- 16a4de0540181bab7c5d25fcdf90838a28f2dff4ed9e0e37de3f5f1ab20afe0a
- http://ncmomenthv.duckdns.org:8896
- travel-scholar-an-equity.trycloudflare.com
- rvenom.duckdns.org
- researchers-hrs-auctions-coating.trycloudflare.com
- be-broadband-wp-canon.trycloudflare.com
- bangkok-generally-ensemble-nfl.trycloudflare.com
- vxsrwrm.duckdns.org
- xoowill56.duckdns.org
- ghdsasync.duckdns.org
- float-suppose-msg-pulling.trycloudflare.com
- drvenomjh.duckdns.org
- ncmomenthv.duckdns.org
- anachyyyyy.duckdns.org
Attack Patterns
- Xworm
- AsyncRAT
- T1059.006
- T1059.001
- T1547.001
- T1573
- T1071
- T1055
- T1204
- T1140
- T1027
- T1566
Additional Informations
- Healthcare
- Transportation
- Finance