Summary:
Proofpoint is warning of an increase in malware infections delivered through Cloudflare’s TryCloudflare, a feature that allows an actor to create a one-time tunnel without creating a Cloudflare account. Similar to a virtual private network (VPN), tunnels act as an encrypted communication channel that can be used to remotely access data and resources that are not on the local network. In this case, each TryCloudflare tunnel created will generate a random subdomain on trycloudflare[.]com. Given that the traffic to the subdomain is proxied through Cloudflare, threat actors are able to relay malicious traffic from an attacker-controlled server to a local machine with limited exposure for detection.

In the latest campaigns observed by Proofpoint, actors are taking advantage of this technique to deliver several malware families including AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm (the most popular payload being deployed). These campaigns initiate with phishing emails containing a malicious ZIP archive that contains a URL shortcut file, which when executed establishes a connection to an external file share, typically via a TryCloudflare-proxied WebDAV server, to download an LNK or VBS file. The LNK/VBS files are designed to execute a BAT or CMD file that downloads a Python installer package and a series of Python scripts leading to malware installation.

Security Officer Comments:
The abuse of TryCloudflare tunnels became popular in 2023 and has increasingly grown since then among the cybercriminal community. By using temporary Cloudflare instances, threat actors have been able to scale their operations while keeping costs at a low. Given that malicious traffic is being proxied through legitimate Cloudflare infrastructure, this has all the more made it more challenging for defenders and traditional security measures to detect and block such activity.

Researchers have not yet attributed these campaigns to a single threat group. The volume of campaign messages has ranged from hundreds to tens of thousands, impacting dozens to thousands of organizations globally. The lure themes, written in English, French, Spanish, and German, typically pertain to business-relevant topics such as invoices, document requests, package deliveries, and taxes.

Suggested Corrections:
Since phishing serves as the initial infection vector, end users should avoid clicking on malicious links or attachments from unknown senders. Given that actors are using Python scripts for malware delivery, organizations should restrict the use of Python if it is not essential for employees' daily operations. Moreover, as threat actors increasingly use WebDAV and Server Message Block (SMB) for payload staging and delivery, organizations should limit access to external file-sharing services to only known, safelisted servers.

Link(s):
https://www.proofpoint.com/us/blog/...-actor-abuses-cloudflare-tunnels-deliver-rats