AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again

SUMMARY :

A new AsyncRAT malware campaign has been identified, utilizing malicious payloads delivered through TryCloudflare quick tunnels and Python packages. The attack chain begins with a phishing email containing a Dropbox URL, leading to a ZIP file with an internet shortcut. This triggers a series of downloads, ultimately executing AsyncRAT malware via Python scripts. The campaign employs legitimate infrastructure like Dropbox and TryCloudflare to evade detection. It uses a multi-step process involving LNK, JavaScript, and BAT files, culminating in the extraction of malicious Python scripts. The attackers use process injection techniques to inject shellcode into legitimate processes like notepad.exe and explorer.exe. This sophisticated approach highlights the evolving nature of cyber threats and the exploitation of legitimate services for malicious purposes.

OPENCTI LABELS :

phishing,remote access trojan,dropbox,xworm,venomrat,asyncrat,process injection,python,evasion techniques,trycloudflare


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again