Bad guys abuse Cloudfare’s free tunnels to deliver malware

BENGALURU: A recent trend observed by cybersecurity firm Proofpoint highlights the increasing exploitation of Cloudflare Tunnels, specifically the “TryCloudflare” feature, for malware distribution.

The exploitation of Cloudflare Tunnels emerged in February 2024, with a marked surge in activity between May and July. The trend is particularly alarming due to the use of TryCloudflare, which enables attackers to establish temporary, one-time tunnels without needing to create an account.

This allows them to leverage the platform’s global network infrastructure for malicious purposes, effectively concealing their activities and establishing ephemeral command and control (C&C) channels.

The most prevalent malware delivered through these Cloudflare-based campaigns has been Xworm, a remote access Trojan (RAT) that grants attackers full control over compromised systems. The attack chain typically involves social engineering tactics, often employing phishing emails that entice users to open attachments or click on links.

These attachments may be internet shortcut files (.URL), which, upon execution, connect to an external file share, typically via WebDAV, to download LNK or VBS files. These files, in turn, execute BAT or CMD files responsible for downloading a Python installer package and associated scripts, ultimately leading to the installation of Xworm.

Use of Python scripts

The use of Python scripts is significant in this context. By packaging Python libraries and an executable installer alongside the scripts, attackers ensure the malware can be downloaded and executed on systems that do not have Python pre-installed.

This approach further facilitates the distribution of malware to a wider range of victims, as it bypasses the requirement of specific software pre-installation.

However, the threat actors responsible for these campaigns are not limited to Xworm delivery. They have also been observed deploying other malicious payloads, including AsyncRAT, VenomRAT, GuLoader, and Remcos, in previous campaigns.

Notably, some campaigns deliver multiple malware payloads, with different Python scripts leading to the installation of distinct malicious software. This versatility underlines the adaptability and sophistication of these actors.

To further evade detection, the threat actors have implemented various techniques, such as obfuscating their scripts and leveraging the “search-ms” protocol handler to retrieve files from WebDAV shares.

While initial campaigns exhibited minimal obfuscation and often included descriptive comments within their scripts, the actors have since incorporated obfuscation techniques, making the analysis and identification of malicious code more challenging.

In recent months Proofpoint has observed campaigns delivering Java-based malware that bundle a JAR and the Java Runtime Environment (JRE) inside a ZIP to ensure the correct software is installed before executing the downloader or dropper. 

Significant challenge

The use of Cloudflare Tunnels presents a significant challenge for traditional security measures. The ephemeral nature of the tunnels and the dynamic generation of subdomains within the “trycloudflare.com” domain make it difficult for security solutions relying on static blocklists or signatures to effectively detect and mitigate these attacks.

The sheer volume of these campaigns, affecting thousands of organisations globally across various languages, further underscores the scale of the threat. The campaigns’ success hinges on effective social engineering tactics, using lures that often mimic legitimate business-related communications, such as invoices, document requests, or package deliveries.

In response to this evolving threat, organisations must adopt a proactive approach to security.

• Restrict the use of Python: Limit access to Python to individuals whose job functions require it. This mitigates the risk of unintentional malware installation through Python packages.
• Implement robust email security solutions: Organizations should invest in advanced email security solutions that can detect and block phishing emails and malicious attachments.
• Educate users: User education and awareness programs are crucial to prevent social engineering attacks. Users should be trained to identify suspicious emails and attachments.
• Monitor network traffic: Implement network monitoring solutions that can detect unusual traffic patterns and suspicious connections to Cloudflare domains.
• Adopt a layered security approach: Utilise a combination of security controls, including endpoint protection, network segmentation, and threat intelligence, to create a multi-layered defense against malware attacks.