Tweaking AsyncRAT: Attackers Using Python and TryCloudflare to Deploy Malware

AsyncRAT is a type of malware used to take control of Windows systems and steal critical information. It's known for being hard to detect and has been used by cybercriminals through various file types to bypass antivirus software.

Forcepoint’s X-Labs research team saw this recently with an AsyncRAT malware campaign that delivers malicious payloads via suspicious TryCloudflare quick tunnel and Python packages. Developers can use the TryCloudflare tool to experiment with Cloudflare Tunnel without adding a site to Cloudflare’s DNS. Thia temporary tunnel infrastructure may allow attackers to remote access huge data. In some cases. we found that attackers use HTML email attachments for distribution, in which “search-ms” windows protocol and “search-ms” URI protocol handler is being used to deliver malicious LNK and then Python scripts with supporting libraries. 

In this blog post, we will cover new AsyncRAT attack methods designed to abuse users via “search-ms” to access “TryCloudflare” WebDAV project and downloads further multiple malware payloads including specially crafted BAT files and Python scripts.

_{Fig. 1 - AsyncRAT attack chain}

This attack targets mostly health, travel and banking sectors via phishing emails. Below chart shows the overall AsyncRAT malware campaign frequency in the last month and how it increased in last few days:

_{Fig. 2 - AsyncRAT observed campaigns}

Stage 1: HTML analysis

The attachments included links to suspicious [.]trycloudflare[.]com sud-domain that used scripts involving the 'search-ms' URI protocol handler. Also, HTML files can launch the attack by embedding scripts that trigger the 'search-ms' URI protocol handler to access malicious lnk file from malicious extended WebDAV server written in Python. E.g : /\/\travel-scholar-an-equity[.]trycloudflare[.]com[@]SSL\DavWWWRoot\e_Statement

_{Fig. 3 - HTML code snippet}

HTML contains search:query with “crumb=location:\\” param to download payload from specific remote location. In this case, it typically downloads a LNK file.

Stage 2: .LNK analysis

Once a user clicks the .LNK file, it launches PowerShell and downloads a BAT file from same TryCloudflare tunnel 

/\/\ travel-scholar-an-equity[.]trycloudflare[.]com[@]SSL\DavWWWRoot\new.bat and then this downloaded new.bat file will download further stage payloads from same tunnel.

_{Fig. 4 - Suspicious WsgiDAVproject hosted on trycloudflare subdomain}

Stage 3:  BAT Analysis

The BAT file is heavily obfuscated and invokes PowerShell to download another batch file and Python package.

PowerShell “Invoke-WebRequest” is used to download huge Python package with malicious .py scripts in it.

It also downloads a clean PDF file to hide activity and displays that fake invoice PDF form to its victim.

 _{Fig. 5 - Fake PDF}

_{Fig. 6 - New .bat obfuscation}

Deobfuscated new.bat shows different sequence of activity like PowerShell execution and zip extraction and .py scripts execution.

_{Fig. 6.1 - Deobfuscscated new.bat file}

PowerShell “Expand-Archive” is used to extract archive in already set destination path. 

Extraction command:

echo powershell -Command "& { Expand-Archive -Path 'C:\Users\Test\Downloads\DXJS.zip' -DestinationPath 'C:\Users\Test\Downloads' -Force }"

Extracted archive contains a Python 3.12.3 package and Python scripts info.py, kam.py, moment.py, money.py, time.py, update.py and upload.py.

_{Fig. 6.2 - New.bat executres Python scripts, adds another.bat into Startup}

Stage 4: Python scripts analysis

These Python scripts import cytpes, which is a foreign function library for Python. It provides C-compatible data types and allows calling functions in DLLs or shared libraries.  The scripts contain huge base64-encoded shell code data and rc4_decrypt() function. It also contains “ctypes.windll.kernel32.VirtualProtect()” function in which it passes the shellcode buffer and size. This function is widely used by attackers for injecting malicious code into legitimate processes. 

Here’s an analysis of money.py:

_{Fig. 7.1 - Money.py}

_{Fig. 7.2 - Money.py continued}

ython scripts “money.py”, “time.py”, “upload.py”, “update.py”, “kam.py”, “moment.py” inject AsyncRAT shell code into legitimate process notepad.exe and connects to different C2 servers. Only one downloaded Python script “info.py” injects Xworm shell code into legitimate processes. All Python scripts contain similar functions and embedded base64 streams. 

_{Fig. 8 - Shellcode stream}

BAT further downloads obfuscated “startupp.bat” and moves it to startup folder for persistence. It also downloads another Python package zip and uses “startupp.bat” file to execute similar python scripts from this new package and connects to same C2 servers with different port numbers: e.g ncmomenthv[.]duckdns[.]org:8896 or ncmomenthv[.]duckdns[.]org:6757.

_{Fig. 9 - C2 connection via notepad.exe}

Process injection will be done by Injecting shellcode via Early Bird APC Queue.

_{Fig. 10 - Process injection}

Downloading a full package allows attackers to target more victims even if there is no supporting Python application installed on victim’s system. Executing via Python and injection into legitimate process helps it evade different basic security mechanisms. 

Conclusion:

This AsyncRAT campaign targets different sectors exploiting search-ms, a well-known Windows search feature to download payload from a temporary TryCloudflare tunnel infrastructure to open a new range of attacking techniques. It employs several steps designed to hide its activity, first starting with the execution of LNK, then to download a BAT file and ultimately downloads an obfuscated BAT file that extracts nefarious Python scripts. It tricks the user via a fake invoice PDF. These Python packages allow attackers access to a victim’s system easily, even when the Python application isn’t installed locally. Moving forward, we expect to see an increase in similar such attacks that exploit low-cost infrastructure options to deliver infostealers and Remote Access Trojans.

Protection statement 

Forcepoint customers are protected against this threat at the following stages of attack:

• Stage 2 (Lure) - Malicious attachments associated with these attacks are identified and blocked.
• Stage 3 (Redirection) - TryCloudflare URL is categorized under security classification.
• Stage 5 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.
• Stage 6 (Call Home) - Blocked C&C domain

IOC

Malicious URLs:

• travel-scholar-an-equity[.]trycloudflare[.]com
• float-suppose-msg-pulling[.]trycloudflare[.]com
• bangkok-generally-ensemble-nfl[.]trycloudflare[.]com
• be-broadband-wp-canon[.]trycloudflare[.]com
• researchers-hrs-auctions-coating[.]trycloudflare[.]com

C2s: 

• ncmomenthv[.]duckdns[.]org
• xoowill56[.]duckdns[.]org
• drvenomjh[.]duckdns[.]org
• vxsrwrm[.]duckdns[.]org
• ghdsasync[.]duckdns[.]org
• anachyyyyy[.]duckdns[.]org
• rvenom[.]duckdns[.]org

Hashes:

• ab069b312dd07d23e1b0cfe397775c7b37c1c5ad - html
• 07095f8f4d920b47f788a8ba52a8ab8902faaa5f   - html
• 16ea141a7d3f622f21a06c694adcb7597707be56 - lnk
• 77ecf69228836fa6a6c79bc26fe1f98f21b7118a - bat
• 05839f45d737f73041c8e5d0ba77044592074f6a - bat
• e6c4bdf3c3c1bc32e49caab17a1f3167d43b3406 - py
• c9103b859d1cd93ce4a83c782fa4807553120a6d - py
• 3292a7228bc9c5f20ddeaf106a54838e7b4f188c - py
• a78711dc104fc079a781e61a06e0abefe4823add - py
• 83132dda0bd86740c931aec8149f86b30674642a - py
• d83fa1a7885143b0d851fd8fb04d54b539790609 - py
• e9853f91bd8a9ed694275fd72f97bdf52775a1d5 - py