Cybercriminals Misuse Cloudflare Tunnels for RAT Distribution

The distribution of various remote access trojans (RATs) was identified by Proofpoint researchers as threat actors' misuse of the "TryCloudflare" free service. This campaign, active since February 2024, delivered RATs such as AsyncRAT, GuLoader, VenomRAT, Remcos RAT, and Xworm, abusing the temporary service tunnels provided by Cloudflare to conceal their malicious traffic. Proofpoint's report on August 1, 2024, shows no threat actor group has been attributed to the campaign. Despite the absence of attribution, given the wide range of targets and the escalation in these activities from May through July 2024, it is necessary for individuals and organizations to be aware of the threat. Many geographic targets are involved, as languages used in the phishing messages include English, French, German, and Spanish.

Demonstrating the evolution of the campaign, the first of two reported campaigns, dated May 28, 2024, saw threat actors utilize tax-related lures sent via email containing links that triggered the download of a .URL file. This file then executed a remote .LNK file, leading to a series of malicious operations, including CMD and PowerShell scripts designed to download and execute Python scripts, eventually deploying AsyncRAT and Xworm. This specific attack involved fewer than 50 messages, targeting sectors with high confidentiality needs, such as legal and finance. "In most campaigns, messages contain a URL or attachment leading to an internet shortcut (.URL) file. When executed, it establishes a connection to an external file share, typically via WebDAV, to download an LNK or VBS file. When executed, the LNK/VBS executes a BAT or CMD file that downloads a Python installer package and a series of Python scripts leading to malware installation," Proofpoint researchers report.

The scope of attacks widened by July 11, 2024, with Proofpoint observing over 1,500 malicious emails targeting not just the original sectors but also expanding into manufacturing and technology. This latter campaign leveraged "invoice receipt" lures that prompted users to open HTML attachments containing a search-ms query. This query redirected users to a malicious LNK file, which then used obfuscated BAT files to run PowerShell and Python scripts, culminating in the execution of AsyncRAT and Xworm. The latest series of campaigns have evolved with the incorporation of obfuscation within their code beginning in June. These scripts illustrate a clear evolution in the attackers' methods aimed at circumventing conventional security measures.

Insights from BleepingComputer's reporting revealed that Cloudflare has responded to these reports by disabling malicious tunnels as they are identified and enhancing their monitoring systems to include machine-learning techniques aimed at detecting and mitigating such abuses. However, the transient nature of the tunnels used in these attacks presents ongoing challenges for detection. Cloudflare adds, "We encourage Proofpoint and other security vendors to submit any suspicious URLs, and we will take action against any customers that use our services for malware." Organizations are advised to remain vigilant regarding the use of temporary tunneling services and to consider additional safeguards such as enhanced monitoring of network traffic and restricting the execution of unverified scripts and attachments to prevent the execution of unauthorized commands and malware installation.