0 分钟阅读
Tweaking AsyncRAT: Attackers Using Python and TryCloudflare to Deploy Malware
AsyncRAT is a type of malware used to take control of Windows systems and steal critical information. It's known for being hard to detect and has been used by cybercriminals through various file types to bypass antivirus software.
Forcepoint’s X-Labs research team saw this recently with an AsyncRAT malware campaign that delivers malicious payloads via suspicious TryCloudflare quick tunnel and Python packages. Developers can use the TryCloudflare tool to experiment with Cloudflare Tunnel without adding a site to Cloudflare’s DNS. Thia temporary tunnel infrastructure may allow attackers to remote access huge data. In some cases. we found that attackers use HTML email attachments for distribution, in which “search-ms” windows protocol and “search-ms” URI protocol handler is being used to deliver malicious LNK and then Python scripts with supporting libraries.
In this blog post, we will cover new AsyncRAT attack methods designed to abuse users via “search-ms” to access “TryCloudflare” WebDAV project and downloads further multiple malware payloads including specially crafted BAT files and Python scripts.
Fig. 1 - AsyncRAT attack chain
This attack targets mostly health, travel and banking sectors via phishing emails. Below chart shows the overall AsyncRAT malware campaign frequency in the last month and how it increased in last few days:
Fig. 2 - AsyncRAT observed campaigns
Stage 1: HTML analysis
The attachments included links to suspicious
Fig. 3 - HTML code snippet
HTML contains search:query with “crumb=location:\\” param to download payload from specific remote location. In this case, it typically downloads a LNK file.
Stage 2: .LNK analysis
Once a user clicks the .LNK file, it launches PowerShell and downloads a BAT file from same TryCloudflare tunnel
/\/\ travel-scholar-an-equity[.]trycloudflare[.]com[@]SSL\DavWWWRoot\new.bat and then this downloaded new.bat file will download further stage payloads from same tunnel.
Fig. 4 - Suspicious WsgiDAVproject hosted on trycloudflare subdomain
Stage 3: BAT Analysis
The BAT file is heavily obfuscated and invokes PowerShell to download another batch file and Python package.
PowerShell “Invoke-WebRequest” is used to download huge Python package with malicious .py scripts in it.
It also downloads a clean PDF file to hide activity and displays that fake invoice PDF form to its victim.
Fig. 5 - Fake PDF
Fig. 6 - New .bat obfuscation
Deobfuscated new.bat shows different sequence of activity like PowerShell execution and zip extraction and .py scripts execution.
Fig. 6.1 - Deobfuscscated new.bat file
PowerShell “Expand-Archive” is used to extract archive in already set destination path.
Extraction command:
echo powershell -Command "& { Expand-Archive -Path 'C:\Users\Test\Downloads\DXJS.zip' -DestinationPath 'C:\Users\Test\Downloads' -Force }"
Extracted archive contains a Python 3.12.3 package and Python scripts info.py, kam.py, moment.py, money.py, time.py, update.py and upload.py.
Fig. 6.2 - New.bat executres Python scripts, adds another.bat into Startup
Stage 4: Python scripts analysis
These Python scripts import cytpes, which is a foreign function library for Python. It provides C-compatible data types and allows calling functions in DLLs or shared libraries. The scripts contain huge base64-encoded shell code data and rc4_decrypt() function. It also contains “ctypes.windll.kernel32.VirtualProtect()” function in which it passes the shellcode buffer and size. This function is widely used by attackers for injecting malicious code into legitimate processes.
Here’s an analysis of money.py:
Fig. 7.1 - Money.py
Fig. 7.2 - Money.py continued
ython scripts “money.py”, “time.py”, “upload.py”, “update.py”, “kam.py”, “moment.py” inject AsyncRAT shell code into legitimate process notepad.exe and connects to different C2 servers. Only one downloaded Python script “info.py” injects Xworm shell code into legitimate processes. All Python scripts contain similar functions and embedded base64 streams.
Fig. 8 - Shellcode stream
BAT further downloads obfuscated “startupp.bat” and moves it to startup folder for persistence. It also downloads another Python package zip and uses “startupp.bat” file to execute similar python scripts from this new package and connects to same C2 servers with different port numbers: e.g ncmomenthv[.]duckdns[.]org:8896 or ncmomenthv[.]duckdns[.]org:6757.
Fig. 9 - C2 connection via notepad.exe
Process injection will be done by Injecting shellcode via Early Bird APC Queue.
Fig. 10 - Process injection
Downloading a full package allows attackers to target more victims even if there is no supporting Python application installed on victim’s system. Executing via Python and injection into legitimate process helps it evade different basic security mechanisms.
Conclusion:
This AsyncRAT campaign targets different sectors exploiting search-ms, a well-known Windows search feature to download payload from a temporary TryCloudflare tunnel infrastructure to open a new range of attacking techniques. It employs several steps designed to hide its activity, first starting with the execution of LNK, then to download a BAT file and ultimately downloads an obfuscated BAT file that extracts nefarious Python scripts. It tricks the user via a fake invoice PDF. These Python packages allow attackers access to a victim’s system easily, even when the Python application isn’t installed locally. Moving forward, we expect to see an increase in similar such attacks that exploit low-cost infrastructure options to deliver infostealers and Remote Access Trojans.
Protection statement
Forcepoint customers are protected against this threat at the following stages of attack:
- Stage 2 (Lure) - Malicious attachments associated with these attacks are identified and blocked.
- Stage 3 (Redirection) - TryCloudflare URL is categorized under security classification.
- Stage 5 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.
- Stage 6 (Call Home) - Blocked C&C domain
IOC
Malicious URLs:
- travel-scholar-an-equity[.]trycloudflare[.]com
- float-suppose-msg-pulling[.]trycloudflare[.]com
- bangkok-generally-ensemble-nfl[.]trycloudflare[.]com
- be-broadband-wp-canon[.]trycloudflare[.]com
- researchers-hrs-auctions-coating[.]trycloudflare[.]com
C2s:
- ncmomenthv[.]duckdns[.]org
- xoowill56[.]duckdns[.]org
- drvenomjh[.]duckdns[.]org
- vxsrwrm[.]duckdns[.]org
- ghdsasync[.]duckdns[.]org
- anachyyyyy[.]duckdns[.]org
- rvenom[.]duckdns[.]org
Hashes:
- ab069b312dd07d23e1b0cfe397775c7b37c1c5ad - html
- 07095f8f4d920b47f788a8ba52a8ab8902faaa5f - html
- 16ea141a7d3f622f21a06c694adcb7597707be56 - lnk
- 77ecf69228836fa6a6c79bc26fe1f98f21b7118a - bat
- 05839f45d737f73041c8e5d0ba77044592074f6a - bat
- e6c4bdf3c3c1bc32e49caab17a1f3167d43b3406 - py
- c9103b859d1cd93ce4a83c782fa4807553120a6d - py
- 3292a7228bc9c5f20ddeaf106a54838e7b4f188c - py
- a78711dc104fc079a781e61a06e0abefe4823add - py
- 83132dda0bd86740c931aec8149f86b30674642a - py
- d83fa1a7885143b0d851fd8fb04d54b539790609 - py
- e9853f91bd8a9ed694275fd72f97bdf52775a1d5 - py
Mayur Sewani
阅读更多文章 Mayur SewaniMayur serves as a Senior Security Researcher as part of the Forcepoint X-Labs Research Team. He focuses on APT malwares, information stealers, phishing attacks, and also works to stay on top of the latest threats. He is passionate about advancing the field of defensive adversary emulation and research.