Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware

SUMMARY :

A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python scripts containing base64-encoded shellcode. The malware injects itself into legitimate processes like notepad.exe and connects to various C2 servers. This campaign primarily targets health, travel, and banking sectors through phishing emails. The use of Python packages allows attackers to compromise systems even without pre-installed Python applications, while exploiting TryCloudflare's temporary infrastructure opens new attack vectors.

OPENCTI LABELS :

powershell,phishing,xworm,obfuscation,asyncrat,python,webdav,shellcode injection,trycloudflare


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware