HQ/EMEAFind out how we can help your business
A new cybercriminal operation discovered earlier this year leverages the free TryCloudflare service to deploy various remote access trojans (RAT). The confirmed malware strains involved in this operation are AsyncRAT, GuLoader, VenomRAT, Remcos RAT, and Xworm.
These malicious activities prompted researchers to warn different entities that threat actors are increasingly misusing the Cloudflare Tunnel service to distribute RATs.
The campaign has been tricky for different individuals since the Cloudflare Tunnel service enables proxying traffic through an encrypted tunnel to access local services and servers via the Internet without exposing IP addresses.
This feature can provide a user with increased security and convenience because there is no need to open public inbound ports or configure VPN connections. Moreover, TryCloudflare allows users to construct temporary tunnels to local servers and test the service without requiring a Cloudflare account.
Each tunnel generates a temporary random subdomain on the trycloudflare.com domain that routes traffic through Cloudflare’s network to the local server. Threat actors have previously exploited the functionality to access the infected devices remotely while avoiding discovery.
Threat actors abuse the official TryCloudflare domain to target various industries.
The malware activity that maliciously utilised the TryCloudflare services targeted industries such as banking, law, tech, and manufacturing. Researchers explained that the threat actors leverage malicious [.]LNK files within the TryCloudflare domain to execute the campaign.
In addition, these malware operators lure victims with tax-themed emails, including URLs or attachments that lead to the LNK payload. Once victims launch the file within the email, the payload executes BAT or CMD programs that use PowerShell. The final stage of the attack involves downloading Python installers for the final payload.
The initial surge of the email distribution started on July 11, sending almost 1,500 malicious messages, whereas an earlier wave from May 28 included fewer than 50 messages. Hosting LNK files using Cloudflare has various advantages, including making traffic appear legitimate due to the service’s reputation.
Furthermore, the TryCloudflare Tunnel feature provides anonymity, and the LNK-serving subdomains are transitory, so banning them does not help security defenders prevent such campaigns.
Finally, free access and the service’s reliable reputation have allowed threat actors to use the domain to execute their campaigns. Researchers believe if the threat actors can use the automation feature to bypass Cloudflare bans, they can use it for large-scale activities.
