A sophisticated cyber threat campaign is leveraging Cloudflare’s free-tier services and TryCloudflare tunnels to effectively mask malicious Remote Access Trojan (RAT) activities, making detection significantly more challenging. The malware, identified as AsyncRAT, is being distributed through phishing emails that trick recipients into downloading seemingly legitimate invoice documents. This innovative approach allows attackers to blend their harmful operations within otherwise normal cloud traffic, posing a substantial risk to unsuspecting users and organizations.
The campaign begins with targeted phishing emails that contain links directing users to a Dropbox-hosted ZIP archive. This archive is carefully named to resemble a German invoice, aiming to lull victims into a false sense of security. Upon opening the archive, users encounter a file with a double extension, such as “Rechnung-zu-Auftrag-W19248960825.pdf.url”. While appearing to be a harmless PDF document, it is actually an internet shortcut (.url) file designed to initiate the infection chain.
Infection Mechanism and Cloudflare Abuse
Following the execution of the malicious shortcut, the infected system connects to a WebDAV resource. This resource is hosted behind TryCloudflare domains, a service that allows users to expose local services to the internet. Within this WebDAV repository, attackers store multi-stage scripts and batch files. These scripts are designed to download further malicious components, establish a local Python environment on the victim’s machine, and ensure the malware’s persistence by configuring it to restart automatically with every system boot.
The ultimate payload delivered is AsyncRAT, a powerful remote access tool. Once installed, AsyncRAT grants threat actors extensive control over the compromised system. This includes the ability to perform keylogging to capture user keystrokes, capture screenshots of the victim’s screen, and execute arbitrary commands. The integration of Cloudflare’s infrastructure and the use of official Python downloads allow the attackers to obfuscate their malicious traffic, making traditional security measures like domain or reputation-based blocking less effective.
Trend Micro analysts detected this campaign through their Managed Detection and Response telemetry. Initial indicators included Microsoft Outlook and Edge downloading invoice-themed ZIP files. Subsequent analysis revealed WebDAV connections to Cloudflare-backed infrastructure and the execution of script-driven payload delivery. The investigation uncovered that multiple TryCloudflare domains were linked to the same backend server and a consistent set of malicious files, indicating a reusable toolkit employed across various attack campaigns. This reusable aspect of the toolkit is a significant concern for cybersecurity professionals.
The infection chain involves several stages designed for stealth and resilience. For instance, a Windows Script File (.wsh) may call a VBScript (.wsf) file, which then downloads and executes two batch files (.bat) from the user’s temporary directory. These batch files, utilizing PowerShell, download an official embedded Python 3.14.0 package from python.org and extract it to a local folder, often within the user’s AppData directory. This reliance on official software sources further aids in evading detection.
Persistence is established by dropping batch files, such as “ahke.bat” and “olsm.bat,” into the Windows Startup folder. These scripts are configured to launch the Python loader, named “ne.py,” every time the system boots. The final stage involves the “ne.py” script executing polymorphic APC-based code injection into the legitimate “explorer.exe” process. This is done using encrypted shellcode stored in a file named “new.bin” and decryption keys found in “a.txt.” This complex technical breakdown illustrates how AsyncRAT operators meticulously chain cloud tunneling, WebDAV, Python, and process injection techniques to maintain control over infected systems while remaining concealed within normal cloud and system operations.
The ongoing evolution of these attack methods, particularly the innovative use of legitimate services like Cloudflare and official software downloads, presents a significant challenge for cybersecurity defenses. As threat actors continue to adapt their tactics to bypass conventional security measures, it is crucial for organizations to implement multi-layered security strategies, including advanced threat detection, user awareness training, and robust endpoint protection. The reliance on Cloudflare’s free tier highlights the importance of monitoring for unusual traffic patterns and service abuse, even from seemingly reputable providers.
Moving forward, security researchers will likely continue to monitor for variations of this AsyncRAT campaign and similar techniques. The effectiveness of this approach may prompt other threat actors to adopt similar strategies, necessitating continuous updates to threat intelligence and security protocols. Organizations should remain vigilant and proactive in their security posture to mitigate the risks associated with these increasingly sophisticated cyber threats.