Techniques Using Python Payloads and TryCloudflare Tunnels in AsyncRAT Attacks
In the increasingly complex cybersecurity landscape, a new malware campaign has been discovered, using a combination of Python payloads and TryCloudflare tunnel services to distribute AsyncRAT - a dangerous remote access Trojan (RAT). This is a stern reminder that threat actors continually seek to exploit legitimate tools and services to carry out sophisticated attacks.
Overview
AsyncRAT is a type of RAT that uses the async/await model to enable efficient asynchronous communication. According to Jyotika Singh, a researcher at Forcepoint X-Labs, AsyncRAT allows attackers to secretly control infected systems, steal data, and execute remote commands without being detected. This makes it a serious threat to both individuals and businesses.
Attack Method: From Phishing Emails to Malicious Payloads
This campaign starts with a phishing email containing a Dropbox link. When users click on it, a ZIP file is downloaded. Inside this ZIP file is a shortcut (LNK) file and a fake PDF document designed to trick users.
Step 1: The LNK file is downloaded through a TryCloudflare URL embedded in the shortcut file. TryCloudflare is a legitimate Cloudflare service that allows creating private communication channels without opening network ports.
Step 2: The LNK file triggers PowerShell to execute JavaScript code, leading to the download of a batch (BAT) script.
Step 3: The BAT script downloads another ZIP file containing a Python payload, which then launches malware like AsyncRAT, Venom RAT, and XWorm.
A notable aspect of this campaign is the use of legitimate services like Dropbox and TryCloudflare to hide malicious activities. The temporary Dropbox URLs and TryCloudflare tunnels make users trust their legitimacy, making them easy targets for deception.
Rising Phishing Attack Trends in Vietnam
The AsyncRAT campaign is part of a larger trend in the cyberattack world. Phishing-as-a-service (PhaaS) campaigns are increasing, using fake login pages to steal user credentials. Some recent campaigns include:
Attacks on organizations in Latin America: Using legal documents to distribute SapphireRAT.
Exploiting government domains: Hosting phishing pages to collect Microsoft 365 login information.
Impersonating tax authorities: Targeting users in Australia, Switzerland, the UK, and the US to distribute malware.
Using Cloudflare Workers: Hosting phishing pages that mimic online services.
Conclusion
The AsyncRAT campaign is a clear example of how threat actors continually innovate their attack methods. Using legitimate services like Dropbox and TryCloudflare to hide malicious activities shows the increasing sophistication of cyberattacks. To protect yourself and your business, it's essential to raise awareness and implement comprehensive security measures.
Stay vigilant and share this information to help build a safer online environment together! 🌐🔒
Recommendations
FPT Threat Intelligence suggests several protective measures against these attacks for businesses and organizations in the country:
Be cautious with unfamiliar emails: Do not click on links or download attachments from unknown email sources.
Update software: Ensure systems and software are always updated to patch security vulnerabilities.
Use security tools: Implement anti-malware and secure email solutions to detect and block threats.
Train employees: Increase awareness of phishing tactics and prevention methods.
IOCs
Malicious URLs:
hxxps[:]//inventory-card-thumbzilla-ip[.]trycloudflare[.]com/DE/
hxxps[.]//mercy-synopsis-notify-motels[.]trycloudflare[.]com/ma[.]zip
hxxp[:]//sufficiently-points-est-minimize[.]trycloudflare[.]com/ma[.]zip
C2s:
62.60.190.141
62.60.190.196
Hashes:
zip: 55724b766dd1fe8bf9dd4cb7094b83b88d57d945url: 4483561a49791a7cd684258e9f1623fe7dfba772lnk: 0aa1b8fba8d7bd19a0064edfdf86c027da253644js: 659ecdeb19b8e49be61fe41e8796d1215272b16ebat: cd61de9e4003ba568ae76f064935addb106a6d6dzip: 0221ec304905a758d9b47d6a631622b7dcf3c1f5py: 4747ee49bdf31351c025049d8c3b7fef831be77cbin: 8ef36a4865f4a73a4e8fe4b90e5eff4a7feb3647bin: ae1dece09c2b627d8d3fe1c1f758db9ca6d5820cbin: 8dc9071a46a019547c8355a155d9c3c3b154e7a2bin: 098c369c904e8c328df40062190aff009e02d369bin: ff6186eef1c17a2668c6013d38fecead4f507556
References
1. AsyncRAT Campaign Uses Python Payloads and TryCloudflare Tunnels for Stealth Attacks<https://thehackernews.com/2025/02/asyncrat-campaign-uses-python-payloads.html\>
- AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again<https://www.forcepoint.com/blog/x-labs/asyncrat-reloaded-python-trycloudflare-malware>
