Summary
Researchers from Proofpoint have released a report warning of threat actors increasingly abusing the Cloudflare Tunnel service in malware campaigns that usually deliver remote access trojans (RATs). First observed in February 2024, the cluster increased activity in May through July, with most campaigns leading to Xworm, a remote access trojan (RAT), in recent months.
Community Impact
The use of Cloudflare tunnels provides threat actors a way to use temporary infrastructure to scale their operations providing flexibility to build and take down instances in a timely manner. This makes it harder for defenders and traditional security measures such as relying on static blocklists. Temporary Cloudflare instances allow attackers a low-cost method to stage attacks with helper scripts, with limited exposure for detection and takedown efforts. RH-ISAC Members who utilize the TryCloudflare feature in their environment are encouraged to review the intelligence in the Proofpoint report, and additionally ingest the Indicators of Compromise listed below.
Background
The malicious activity abuses the TryCloudflare feature that allows an attacker to create a one-time tunnel without creating an account. Tunnels are a way to remotely access data and resources that are not on the local network, like using a virtual private network (VPN) or secure shell (SSH) protocol.
In most campaigns, messages contain a URL or attachment leading to an internet shortcut (.URL) file. When executed, it establishes a connection to an external file share, typically via WebDAV, to download an LNK or VBS file. When executed, the LNK/VBS executes a BAT or CMD file that downloads a Python installer package and a series of Python scripts leading to malware installation. In some cases, file staging leverages the search-ms protocol handler to retrieve the LNK from a WebDAV share. Typical in campaigns, a benign PDF is displayed to the user to appear legitimate.
In June and July, nearly all observed campaigns delivered Xworm, but previous campaigns also delivered AsyncRAT, VenomRAT, GuLoader, and Remcos. Some campaigns will lead to multiple different malware payloads, with each unique Python script leading to the installation of a different malware.
Campaign message volumes range from hundreds to tens of thousands of messages impacting dozens to thousands of organizations globally. In addition to English, researchers observed French, Spanish, and German language lures. Xworm, AsyncRAT, and VenomRAT campaigns are often higher volume than campaigns delivering Remcos or GuLoader. Lure themes vary, but typically include business-relevant topics like invoices, document requests, package deliveries, and taxes.
While the tactics, techniques and procedures (TTPs) of the campaigns remain consistent, the threat actor does appear to modify different parts of the attack chain to increase sophistication and defense evasion.
Indicators of Compromise
Proofpoint has provided the following Indicators of Compromise for security awareness:
Indicator | Description |
spectrum-exactly-knitting-rural[.]trycloudflare[.]com | Trycloudflare Host |
53c32ea384894526992d010c0c49ffe250d600b9b4472cce86bbd0249f88eada | .URL SHA256 |
a79fbad625a5254d4f7f39461c2d687a1937f3f83e184bd62670944462b054f7 | LNK SHA256 |
0f1118b30b2da0b6e82f95d9bbf87101d8298a85287f4de58c9655eb8fecd3c6 | CMD SHA256 |
157[.]20[.]182[.]172 | Xworm C2 IP |
dcxwq1[.]duckdns[.]org | AsyncRAT C2 |
a40f194870b54aeb102089108ecf18b3af9b449066a240f0077ff4edbb556e81 | HTML SHA256 |
3867de6fc23b11b3122252dcebf81886c25dba4e636dd1a3afed74f937c3b998 | LNK SHA256 |
ride-fatal-italic-information[.]trycloudflare[.]com | Trycloudflare Host |
0fccf3d1fb38fa337baf707056f97ef011def859901bb922a4d0a1f25745e64f | BAT SHA256 |
todfg[.]duckdns[.]org | AsyncRAT C2 |
welxwrm[.]duckdns[.]org | Xworm C2 |
xwor3july[.]duckdns[.]org | Xworm C2 |
