Cyber security news for all

More

    Cybercriminals Exploit Cloudflare Tunnels for Undetectable Malware Distribution

    Cybersecurity companies are raising alarms over the increasing misuse of Cloudflare’s TryCloudflare free service for distributing malware. This activity, reported by eSentire and Proofpoint, involves using TryCloudflare to establish a temporary tunnel that channels traffic from an attacker-controlled server to a local machine via Cloudflare’s infrastructure.

    This method has been employed to deliver a range of malware, including AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm. The attack typically starts with a phishing email containing a ZIP archive that includes a URL shortcut file. This file directs the recipient to a Windows shortcut hosted on a WebDAV server proxied by TryCloudflare.

    The shortcut file triggers batch scripts that retrieve and execute additional Python payloads while displaying a decoy PDF document from the same server to maintain deception. eSentire noted that these scripts perform actions like launching fake PDFs, downloading more malicious payloads, and altering file attributes to evade detection.

    A crucial aspect of the attackers’ strategy is using direct system calls to bypass security tools, decrypting shellcode layers, and employing the Early Bird APC queue injection method to execute code stealthily and avoid detection.

    Proofpoint found that the phishing emails are written in English, French, Spanish, and German, with volumes ranging from hundreds to tens of thousands, targeting organizations worldwide. These emails cover various themes, including invoices, document requests, package deliveries, and taxes.

    While the campaign is attributed to a related cluster of activities, it has not been linked to a specific threat actor or group. However, the email security vendor believes the campaign is financially motivated.

    The malicious use of TryCloudflare was first noted last year when Sysdig uncovered a cryptojacking and proxyjacking campaign named LABRAT. This campaign exploited a now-fixed critical flaw in GitLab to infiltrate targets and conceal command-and-control (C2) servers using Cloudflare tunnels.

    The use of WebDAV and Server Message Block (SMB) for payload delivery requires businesses to limit access to external file-sharing services to only known, approved servers.

    According to Proofpoint researchers Joe Wise and Selena Larson, “Cloudflare tunnels allow threat actors to use temporary infrastructure, enabling them to scale their operations and quickly build and dismantle instances. This challenges defenders and traditional security measures that rely on static blocklists. Temporary Cloudflare instances offer attackers a cost-effective method to stage attacks with helper scripts while minimizing exposure to detection and takedown efforts.”

    These findings come as the Spamhaus Project urges Cloudflare to review its anti-abuse policies following cybercriminals’ exploitation of its services to obscure malicious activities. This practice, known as “living-off-trusted-services” (LoTS), enhances attackers’ operational security by leveraging trusted platforms.

    Spamhaus observed that malicious actors move their domains, which are already listed in the Domain Block List (DBL), to Cloudflare to disguise their backend operations, whether involving spam, phishing, or more severe threats.

    Recent Articles

    Related Stories