Threat Research

It’s About The Journey: Fake Cloudflare Authenticator

Kandji.io
It’s About The Journey: Fake Cloudflare Authenticator

This article delves into a complex malware infection chain involving multiple stages of executable files, ultimately leading to the deployment of the VShell red team tool. The investigation highlights various suspicious files discovered on VirusTotal, their techniques for evading detection, and the methodology employed by the malware to establish persistence on the targeted system. Affected: macOS software, malware sector, cybersecurity

Keypoints :

  • A suspicious file named Cloudflare Security Authenticator was found on VirusTotal, tagged as a dropper.
  • The file was uploaded from China and had 0 detections on VirusTotal.
  • The analysis revealed staged Mach-O files executed sequentially as part of the infection chain.
  • Each stage of the chain performed specific malicious tasks, including creating hidden files and downloading additional payloads.
  • Final stage malware named VShell was revealed to enable additional Kerberos or C2 actions.
  • The malware attempted to masquerade as a legitimate TOTP application for Cloudflare.
  • Signs of persistence through system cron jobs were identified, ensuring the malware executed after system reboots.

MITRE Techniques :

  • T1071.001: Application Layer Protocol – The malware uses HTTP for command and control communication, evidenced by GET requests sent to the C2 server.
  • T1203: Exploitation for Client Execution – The unsigned application exploits user actions for execution.
  • T1036: Masquerading – The malware disguises itself as a legitimate Cloudflare application.
  • T1059.001: Command and Scripting Interpreter: Powershell – The final payload uses shell commands for execution via cron job.
  • T1060: Registry Run Keys / Startup Folder – The malware creates a cron job for persistence to launch upon reboot.

Indicator of Compromise :

  • [URL] http://43[.]156.13[.]232:8084/?a=d64&h=43.156.13.232&t=ws_&p=8084
  • [IP Address] 43.156.13.232
  • [SHA-256] e96fe377ac512794ade4ebd4384ef2cc085156481979e684eebdfa8275176fb0
  • [SHA-256] f69dd48ae8eb3767398316ad8bfa4a2e66dfabb38966f949453e08225255b270
  • [Filename] /Users/username/.gps

Full Story: https://blog.kandji.io/fake-cloudflare-authenticator

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint