A new phishing campaign is using Cloudflare services and Python tools to distribute AsyncRAT, demonstrating the growing threat of legitimate service abuse in malware delivery.
A recently discovered phishing campaign is exploiting a combination of legitimate Cloudflare services and open-source Python tools to deliver the commodity malware AsyncRAT. This sophisticated attack illustrates the increasing trend of threat actors abusing trusted infrastructure and open-source tools to evade detection while establishing persistent remote access to victim systems.
The campaign, uncovered by researchers at Trend Micro, uses Cloudflare’s free-tier services and TryCloudflare tunneling domains to host malicious payloads. By hiding malicious activities under trusted infrastructure, the attackers can bypass traditional security solutions, ensuring reliable delivery of their payload. The phishing emails used in the attack contain Dropbox links with lures related to invoices, enticing victims to open links to malicious files.
Once opened, the malicious files employ a double-extension tactic (.pdfurl) to deceive the victim. Despite showing a legitimate PDF document to reduce suspicion, the file redirects the victim to download a series of malicious scripts hosted on TryCloudflare domains. These scripts install a Python environment on the victim’s system, injecting code into explorer.exe to establish persistence and further deliver the final malware payload, AsyncRAT.
AsyncRAT is a commercially available Remote Access Trojan (RAT) known for its modular design, which allows attackers to customize its functionality for a variety of malicious purposes. The malware’s capabilities include keylogging, screen capturing, and remote command execution. Once installed, AsyncRAT ensures persistence through various vectors such as startup folder scripts, WebDAV mounting, and the use of Windows Script Host and PowerShell to avoid detection.
The attack’s use of Python and Cloudflare’s tunneling services reflects a broader trend where attackers rely on cloud services to host and execute malware, eliminating the need to build their own infrastructure and making their activities appear legitimate. Phishing remains a highly effective vector for these kinds of attacks, even though it has been used for decades.
To combat these evolving threats, Trend Micro recommends that organizations implement a multilayered security approach, using advanced email security solutions capable of detecting and blocking malicious attachments and URLs. Deploying endpoint detection and response (EDR) solutions with behavioral analysis can help identify and block script-based attacks and code injections. Additionally, organizations should monitor and restrict outbound connections to unnecessary cloud services, including free-tier tunneling and file hosting platforms, to prevent attackers from exploiting legitimate services for malware distribution.
