Category | Details |
---|---|
Threat Actors | Unattributed cybercriminal group using Cloudflare Tunnel abuse to deliver malware, primarily targeting organizations for financial gain. |
Campaign Overview | The campaigns are financially motivated and primarily distribute Remote Access Trojans (RATs), including Xworm, AsyncRAT, and VenomRAT. The attackers abuse TryCloudflare Tunnels to bypass detection and enhance campaign efficacy. Observed since February 2024. |
Target Regions (Victims) | Organizations globally, particularly in law, finance, manufacturing, and technology sectors. Lures are in English, French, Spanish, and German. |
Methodology | Campaigns typically include phishing messages with URLs or attachments leading to .URL files, followed by downloading of LNK, VBS, BAT, CMD files, and Python scripts. Use of WebDAV and SMB for file staging and delivery. Campaigns evolve with improved obfuscation and defense evasion. |
Product Targeted | Primarily financial and business sectors, focusing on the delivery of RATs. |
Malware Reference | Xworm, AsyncRAT, VenomRAT, GuLoader, Remcos |
Tools Used | TryCloudflare Tunnels, Python scripts, PowerShell, LNK, VBS, BAT, and CMD files for infection. WebDAV and SMB for payload staging. |
Vulnerabilities Exploited | Abuse of TryCloudflare service for temporary tunneling and malware delivery. Obfuscation and script evasion techniques used to bypass detection. |
TTPs | Phishing with malicious attachments/URLs, use of Cloudflare tunnels for infrastructure, Python scripts for malware delivery, file obfuscation, use of LNK/VBS files for payload activation, WebDAV/SMB for payload staging. |
Attribution | No specific attribution yet, but the activity is attributed to a cluster of related cybercriminals. Ongoing research. |
Recommendations | Restrict access to external file-sharing services (WebDAV, SMB), limit Python usage to necessary job functions, train employees on phishing detection, and monitor for unusual network traffic or script activity. |
Source | Proofpoint |
Read full article: https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats
The above summary has been generated by an AI language model
Leave a Reply