Cybersecurity companies are warning of a surge in misuse of Clouflare’s free TryCloudflare service to deliver malware.
Activity documented by both eFeel and Proofinvolves using TryCloudflare to create a one-way tunnel that acts as a conduit to relay traffic from an attacker-controlled server to a local machine through Cloudflare’s infrastructure.
Attack chains using this technique have been observed to deliver a cocktail of malware families such as AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm.
The initial access vector is a phishing email that contains a ZIP archive that includes a URL shortcut file that directs the recipient of the message to a Windows shortcut file hosted on a TryCloudflare proxy WebDAV server.
The shortcut file, in turn, executes the next-stage batch scripts responsible for receiving and executing additional Python payloads, while displaying a spoofed PDF document hosted on the same WebDAV server to keep up with the trick.
“These scripts performed actions such as launching spoofed PDF files, downloading additional malicious files, and changing file attributes to avoid detection,” eSentire noted.
“A key element of their strategy was to use direct system calls to bypass security monitoring tools, decipher layers of shellcode, and deploy Early Bird APC queue injection to silently execute code and effectively evade detection.”
According to Proofpoint, the phishing lures are written in English, French, Spanish and German, and the email volumes range from hundreds to tens of thousands of messages aimed at organizations from around the world. Topics cover a wide range of topics such as invoices, document requests, parcel deliveries and taxes.
The campaign, although classified under one cluster of related activities, was not linked to a specific threat or group, but was assessed by the email security provider as financially motivated.
Malicious use of TryCloudflare was first reported last year when Sysdig discovered a crypto-hacking and proxy-hacking campaign called LABORATORY which weaponized the now-fixed critical flaw in GitLab to infiltrate targets and obfuscate their control (C2) servers using Cloudflare tunnels.
In addition, the use of WebDAV and Server Message Block (SMB) to host and deliver payloads requires enterprises to restrict access to external file sharing services to only known whitelisted servers.
“Using Cloudflare tunnels gives threat actors the ability to use temporary infrastructure to scale their operations, providing the flexibility to create and take down instances in a timely manner,” said Proofpoint researchers Joe Wise and Selena Larson.
“This complicates the task for defenders and traditional security measures such as the use of static block lists. Cloudflare’s temporary instances allow attackers to use a low-cost method to orchestrate attacks using limited-impact helper scripts for detection and removal.”
The findings come after the Spamhaus project called on Cloudflare to review its anti-abuse policies after cybercriminals used its services to mask malicious activities and increase their operational security through so-called “life outside of trusted services” (LoTS) . .
This said he’s “watching attackers move their already DBL-listed domains to Cloudflare to mask the backend of their work, whether it’s spammy domains, phishing, or worse.”
