The Forcepoint X-Labs research team has uncovered a new AsyncRAT malware campaign, utilizing malicious payloads via TryCloudflare quick tunnels and disguised Python packages. The attack initiates with a phishing email containing a Dropbox link, which leads to a complex series of downloads that mislead users into executing malware while presenting a legitimate PDF. This continuation of earlier findings underscores the exploitation of legitimate infrastructure by attackers, anticipating a rise in similar tactics. Affected: AsyncRAT victims, sector of cybersecurity.
Keypoints :
- New AsyncRAT malware campaign identified by Forcepoint X-Labs.
- Malicious payloads delivered via TryCloudflare tunnels and Python packages.
- Initial compromise occurs through a phishing email containing a Dropbox link.
- ZIP file downloaded contains an internet shortcut file, leading to malware execution.
- Multi-stage process of malware delivery to avoid detection.
- Utilizes legitimate infrastructure to enhance the credibility of payloads.
- Protection measures in place for Forcepoint customers against associated threats.
- Anticipation of increased future attacks leveraging low-cost infrastructure.
MITRE Techniques :
- T1071.001: Application Layer Protocol: Web Protocols – Used for communication between infected systems and C2 servers via HTTPS.
- T1203: Exploitation for Client Execution – Targeting users through phishing emails to exploit vulnerabilities.
- T1027: Obfuscated Files or Information – Malware delivery involves heavily obfuscated BAT and Python scripts.
- T1112: Modify Registry – Potential modification of system registry for persistence.
- T1059.001: Command and Scripting Interpreter: PowerShell – PowerShell is employed to download and execute malicious scripts.
- T1041: Exfiltration Over C2 Channel – Communication with C2 servers for data exfiltration.
Indicator of Compromise :
- [URL] hxxps[:]//dl[.]dropboxusercontent[.]com/scl/fi/7j2004fcny2crqxfl4qfj/R000193294-672PDF[.]zip
- [URL] hxxps[:]//inventory-card-thumbzilla-ip[.]trycloudflare[.]com/DE
- [URL] hxxps[:]//mercy-synopsis-notify-motels[.]trycloudflare[.]com/ma[.]zip
- [C2 IP] 62.60.190.141
- [Hash – ZIP] 55724b766dd1fe8bf9dd4cb7094b83b88d57d945
Full Story: https://www.forcepoint.com/blog/x-labs/asyncrat-reloaded-python-trycloudflare-malware