Threat Research

Cloudflare Tunnels Exploited by Threat Actor to Deliver RATs

Proofpoint

Proofpoint reports a rise in malware delivery abusing TryCloudflare Tunnels to deploy remote access trojans (RATs) such as Xworm, AsyncRAT, VenomRAT, GuLoader, and Remcos. Campaigns evolve to evade detection using obfuscated scripts and temporary infrastructure backed by Cloudflare tunnels.
#Xworm #TryCloudflareTunnels

Keypoints

  • Increase in malware delivery via TryCloudflare Tunnel abuse.
  • Activity is financially motivated and focused on remote access trojans (RATs).
  • Campaigns have altered tactics to bypass detection and improve efficacy.
  • First observed in February 2024, with elevated activity from May to July.
  • Delivery typically involves URLs or attachments leading to .URL files.
  • Malware delivered includes Xworm, AsyncRAT, VenomRAT, GuLoader, and Remcos.
  • Threat actors use business-themed lures and increasingly obfuscate scripts.
  • Use of Cloudflare tunnels enables temporary infrastructure and evasion of static blocks.
  • Recommendation: restrict access to external file sharing services and monitor for anomalous tunnel use.

MITRE Techniques

  • [T1059.001] PowerShell – Used to download a zipped Python package and Python scripts. Quote: “PowerShell to download a zipped Python package and Python scripts.”
  • [T1059.003] Windows Command Shell – A BAT or CMD file downloads a Python installer package and Python scripts. Quote: “a BAT or CMD file that downloads a Python installer package and a series of Python scripts.”
  • [T1547.001] Startup Items – Startup Items used for persistence. Quote: “Startup Items (T1547.001)”
  • [T1027] Obfuscated Files or Information – Obfuscation added to their code to evade detection. Quote: “obfuscation in their code.”
  • [T1003] Credential Dumping – Credential access via dumping credentials. Quote: “Credential Dumping (T1003)”
  • [T1071] Application Layer Protocol – C2 communications leveraging application-layer protocols. Quote: “Application Layer Protocol (T1071)”
  • [T1102] Web Service – Use of web services to facilitate C2 or data exfiltration. Quote: “Web Service (T1102)”

Indicators of Compromise

  • [Domain] Trycloudflare hosts used for tunneling – spectrum-exactly-knitting-rural[.]trycloudflare[.]com, ride-fatal-italic-information[.]trycloudflare[.]com
  • [SHA256] .URL file hash – a79fbad625a5254d4f7f39461c2d687a1937f3f83e184bd62670944462b054f7
  • [SHA256] LNK file hash – 0f1118b30b2da0b6e82f95d9bbf87101d8298a85287f4de58c9655eb8fecd3c6
  • [SHA256] HTML payload hash – 3867de6fc23b11b3122252dcebf81886c25dba4e636dd1a3afed74f937c3b998
  • [Domain] C2 domains used by Xworm/AsyncRAT – dcxwq1[.]duckdns[.]org, welxwrm[.]duckdns[.]org
  • [Domain] Trycloudflare-hosting subdomains observed – spectrum-exactly-knitting-rural[.]trycloudflare[.]com, ride-fatal-italic-information[.]trycloudflare[.]com

Read more: https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint