Cybersecurity firms are raising alarms about an increase in the misuse of Cloudflare’s TryCloudflare free service for malware distribution.
Reports from both eSentire and Proofpoint detail the exploitation of TryCloudflare to establish one-time tunnels, which serve as channels for transmitting traffic from attacker-controlled servers to local machines via Cloudflare’s infrastructure.
This method has been observed in attack chains deploying a variety of malware families, including AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm.
The initial infection vector typically involves a phishing email containing a ZIP archive with a URL shortcut file. This file directs recipients to a Windows shortcut hosted on a TryCloudflare-proxied WebDAV server.
Upon execution, the shortcut file triggers batch scripts that download and execute additional Python payloads while presenting a decoy PDF document, also hosted on the same WebDAV server, to maintain the deception.
“These scripts performed actions such as launching decoy PDFs, downloading further malicious payloads, and altering file attributes to avoid detection,” eSentire reported.
“A significant aspect of the attackers’ strategy included using direct syscalls to bypass security monitoring tools, decrypting shellcode layers, and employing the Early Bird APC queue injection technique to covertly execute code and evade detection.”
Proofpoint noted that the phishing lures, crafted in English, French, Spanish, and German, ranged from hundreds to tens of thousands of emails targeting organizations worldwide. The themes varied, covering invoices, document requests, package deliveries, and taxes.
While the campaign is linked to a cluster of related activity, it hasn’t been attributed to a specific threat actor or group, though it is believed to be financially motivated.
The abuse of TryCloudflare for malicious purposes was initially observed last year, with Sysdig uncovering the LABRAT campaign, which leveraged a now-patched critical GitLab flaw for cryptojacking and proxyjacking. This campaign utilized Cloudflare tunnels to obscure command-and-control (C2) servers.
Additionally, the employment of WebDAV and Server Message Block (SMB) for payload staging and delivery underscores the need for enterprises to limit access to external file-sharing services to known, allow-listed servers.
“Cloudflare tunnels offer threat actors the flexibility to quickly set up and dismantle temporary infrastructure, enabling them to scale their operations efficiently,” explained Proofpoint researchers Joe Wise and Selena Larson.
“This complicates the efforts of defenders and traditional security measures, such as static blocklists. The use of temporary Cloudflare instances provides attackers with a low-cost method to execute attacks using auxiliary scripts, while minimizing the chances of detection and takedown.”
These findings come as the Spamhaus Project urged Cloudflare to reassess its anti-abuse policies in response to cybercriminals exploiting its services to conceal malicious activities and bolster their operational security through living-off-trusted-services (LoTS).
Spamhaus noted that “miscreants are relocating their domains, which are already listed in the DBL, to Cloudflare to mask the backend of their operations, whether it involves spamvertized domains, phishing, or other malicious activities.”
Source: TheHackerNews
