Techno, Intuisi Blog – Since the beginning of last year the threat actors have been using Cloudflare Tunnels to release different Remote Access Trojan (RAT) families as well as Proofpoint’s reports.
Since February 20, 2024, criminals are using this TryCloudflare feature to make only-once tunnels, without having the need for an account. They are using these tunnels to distribute AsyncRAT, GuLoader, Remcos, VenomRAT, and Xworm.
Cloudflare Tunnels
Similar to VPNs as well, Cloudflare tunnels allow users to access resources remotely. In the context of observed threats, attackers send emails containing URLs or attachment that leads to a URL. This connects the tunnel to any external sharing.
After the link has been accessed the first stage payload will be downloaded, and then the multi-stage chain of infection that leads to the installation of malware begins.
“Some campaigns will lead to multiple different malware payloads, with each unique Python script leading to the installation of a different malware,” Proofpoint claims..
For the purposes of attack, the attackers employed English, French, German in their Spanish attractants, which are typically related to business subjects like documents, invoices delivery, taxes, and invoices.
“Campaign message volumes range from hundreds to tens of thousands of messages impacting dozens to thousands of organizations globally,” Proofpoint writes.
The cybersecurity company notes that, even though various aspects that comprise the threat chain were improved to enhance the effectiveness and efficiency of defense and evasion, the same tactics, strategies as well as procedures (TTPs) were employed across the campaign which suggests that one threat actor was accountable for the attack. The attack, however, is not attributable to any specific threat actor.
“The usage of Cloudflare tunnels provides the attackers with a means to utilize temporary infrastructures to expand their operation, giving them the ability to create and shut down servers in a quick way. This can be a problem to defend against attackers, and more traditional security methods like relying on static blocklists” Proofpoint notes.
Since 2023, a variety of attackers have been spotted using TryCloudflare tunnels to carry out their malign attack, and the method is growing in popularity. Proofpoint adds.
In the past, hackers used TryCloudflare to their advantage in an LabRat-sponsored malware distribution effort to control and command (C&C) security obfuscation.
