AsyncRAT Campaign Exploits Cloudflare Tunnels for Stealthy Malware Delivery

Cybersecurity researchers have identified a sophisticated malware campaign leveraging AsyncRAT, a remote access trojan, to infiltrate systems by exploiting trusted cloud services. This operation employs Cloudflare’s TryCloudflare tunnels and Python scripts to evade detection and establish unauthorized access.

The attack initiates with phishing emails containing Dropbox links labeled as invoices in German. When recipients click these links, they download a ZIP archive that appears to contain a PDF file. However, this file is an internet shortcut (.URL) that directs the user to a TryCloudflare subdomain, initiating the infection chain.

Upon accessing the TryCloudflare subdomain, the shortcut retrieves a Windows shortcut (.LNK) file. Executing this LNK file triggers a PowerShell command that downloads a JavaScript file from the same Cloudflare tunnel. This JavaScript file, once deobfuscated, fetches a batch (.BAT) file, continuing the infection process.

The BAT file is heavily obfuscated and performs multiple functions. It opens a decoy PDF to distract the user while downloading another ZIP file containing a Python package. The script checks for an existing Python installation and, if absent, installs a bundled interpreter. Within this package, a script named load.py, along with several binary files, executes the final payload.

Load.py utilizes the ctypes library to interact directly with Windows system functions. It allocates memory, creates threads, and injects shellcode, facilitating the deployment of AsyncRAT. This trojan grants attackers remote control over the compromised system, enabling data exfiltration, keystroke logging, and command execution.

By abusing legitimate services like Cloudflare and Dropbox, the attackers effectively mask their activities within normal network traffic, making detection challenging. This method underscores a growing trend where cybercriminals exploit trusted platforms to distribute malware, complicating traditional security measures.

Organizations are advised to implement robust email filtering, conduct regular security training for employees, and monitor network traffic for unusual patterns. Staying vigilant against such sophisticated attack vectors is crucial in mitigating potential breaches.

This campaign highlights the evolving tactics of threat actors who continuously adapt to bypass security defenses. The use of legitimate cloud services for malicious purposes emphasizes the need for advanced threat detection mechanisms and proactive cybersecurity strategies.