A malware campaign has been observed delivering a remote access trojan (RAT) named AsyncRAT by making use of Python payloads and TryCloudflare tunnels.
“AsyncRAT is a remote access trojan (RAT) that exploits the async/await pattern for efficient, asynchronous communication,” Forcepoint X-Labs researcher Jyotika Singh said in an analysis.
“It allows attackers to control infected systems stealthily, exfiltrate data and execute commands while remaining hidden – making it a significant cyberthreat.”
The starting point of the multi-stage attack chain is a phishing email that contains a Dropbox URL that, upon clicking, downloads a ZIP archive.
Present within the file is an internet shortcut (URL) file, which serves as a conduit for a Windows shortcut (LNK) file responsible for taking the infection further, while a seemingly benign decoy PDF document is displayed to the message recipient.
Specifically, the LNK file is retrieved by means of a TryCloudflare URL embedded within the URL file. TryCloudflare is a legitimate service offered by Cloudflare for exposing web servers to the internet without opening any ports by creating a dedicated channel (i.e., a subdomain on trycloudflare[.]com) that proxies traffic to the server.
The LNK file, for its part, triggers PowerShell to execute a JavaScript code hosted on the same location that, in turn, leads to a batch script (BAT) capable of downloading another ZIP archive. The newly downloaded ZIP file contains a Python payload designed to launch and execute several malware families, such as AsyncRAT, Venom RAT, and XWorm.
It’s worth noting that a slight variation of the same infection sequence was discovered last year propagating AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm.
“This AsyncRAT campaign has again shown how hackers can use legitimate infrastructures like Dropbox URLs and TryCloudflare to their advantage,” Singh noted. “Payloads are downloaded through Dropbox URLs and temporary TryCloudflare tunnel infrastructure, thereby tricking recipients into believing their legitimacy.”
The development comes amid a surge in phishing campaigns using phishing-as-a-service (PhaaS) toolkits to conduct account takeover attacks by directing users to bogus landing pages mimicking the login pages of trusted platforms like Microsoft, Google, Apple, and GitHub.
Social engineering attacks conducted via emails have also been observed leveraging compromised vendor accounts to harvest users’ Microsoft 365 login credentials, an indication that threat actors are taking advantage of the interconnected supply chain and the inherent trust to bypass email authentication mechanisms.
Some of other recently documented phishing campaigns in recent weeks are below –
- Attacks targeting organizations across Latin America that make use of official legal documents and receipts to distribute and execute SapphireRAT
- Attacks exploiting legitimate domains, including those belonging to government websites (“.gov”), to host Microsoft 365 credential harvesting pages
- Attacks impersonating tax agencies and related financial organizations to target users in Australia, Switzerland, the U.K., and the U.S. to capture user credentials, make fraudulent payments, and distribute malware like AsyncRAT, MetaStealer, Venom RAT, XWorm
- Attacks that leverage spoofed Microsoft Active Directory Federation Services (ADFS) login pages to gather credentials and multi-factor authentication (MFA) codes for follow-on financially motivated email attacks
- Attacks that employ Cloudflare Workers (workers.dev) to host generic credential harvesting pages mimicking various online services
- Attacks targeting German organizations with the Sliver implant under the guise of employment contracts
- Attacks that utilize zero-width joiner and soft hyphen (aka SHY) characters to bypass some URL security checks in phishing emails
- Attacks that distribute booby-trapped URLs that deliver scareware, potentially unwanted programs (PUPs) and other scam pages as part of a campaign named ApateWeb
Recent research by CloudSEK has also demonstrated that it’s possible to exploit Zendesk’s infrastructure to facilitate phishing attacks and investment scams.
“Zendesk allows a user to sign up for a free trial of their SaaS platform, allowing registration of a subdomain, that could be misused to impersonate a target,” the company said, adding attackers can then use these subdomains to deliver phishing emails by adding the targets’ email addresses as “users” to the Zendesk portal.
“Zendesk does not conduct email checks to invite users. Which means that any random account can be added as a member. Phishing pages can be sent, in the guise of tickets assigned to the email address.”
