Press ESC to close

Threat Actor Abuses Cloudflare Tunnels to Deliver RATs

CategoryDetails
Threat ActorsUnattributed cybercriminal group using Cloudflare Tunnel abuse to deliver malware, primarily targeting organizations for financial gain.
Campaign OverviewThe campaigns are financially motivated and primarily distribute Remote Access Trojans (RATs), including Xworm, AsyncRAT, and VenomRAT. The attackers abuse TryCloudflare Tunnels to bypass detection and enhance campaign efficacy. Observed since February 2024.
Target Regions (Victims)Organizations globally, particularly in law, finance, manufacturing, and technology sectors. Lures are in English, French, Spanish, and German.
MethodologyCampaigns typically include phishing messages with URLs or attachments leading to .URL files, followed by downloading of LNK, VBS, BAT, CMD files, and Python scripts. Use of WebDAV and SMB for file staging and delivery. Campaigns evolve with improved obfuscation and defense evasion.
Product TargetedPrimarily financial and business sectors, focusing on the delivery of RATs.
Malware ReferenceXworm, AsyncRAT, VenomRAT, GuLoader, Remcos
Tools UsedTryCloudflare Tunnels, Python scripts, PowerShell, LNK, VBS, BAT, and CMD files for infection. WebDAV and SMB for payload staging.
Vulnerabilities ExploitedAbuse of TryCloudflare service for temporary tunneling and malware delivery. Obfuscation and script evasion techniques used to bypass detection.
TTPsPhishing with malicious attachments/URLs, use of Cloudflare tunnels for infrastructure, Python scripts for malware delivery, file obfuscation, use of LNK/VBS files for payload activation, WebDAV/SMB for payload staging.
AttributionNo specific attribution yet, but the activity is attributed to a cluster of related cybercriminals. Ongoing research.
RecommendationsRestrict access to external file-sharing services (WebDAV, SMB), limit Python usage to necessary job functions, train employees on phishing detection, and monitor for unusual network traffic or script activity.
SourceProofpoint

Read full article: https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats

The above summary has been generated by an AI language model

Leave a Reply

Your email address will not be published. Required fields are marked *