Connect dots

Threat Actor Abuses Cloudflare Tunnels to Deliver RATs

Share with your network!

Key findings 

  • Proofpoint has observed an increase in malware delivery via TryCloudflare Tunnel abuse. 
  • The activity is financially motivated and delivers exclusively remote access trojans (RATs).  
  • Since initial observation, the threat activity set behind the campaigns has modified tactics, techniques, and procedures in attempts to bypass detection and improve efficacy. 
  • Proofpoint does not attribute this activity to a tracked TA, but research is ongoing. 

Overview 

Proofpoint is tracking a cluster of cybercriminal threat activity leveraging Cloudflare Tunnels to deliver malware. Specifically, the activity abuses the TryCloudflare feature that allows an attacker to create a one-time tunnel without creating an account. Tunnels are a way to remotely access data and resources that are not on the local network, like using a virtual private network (VPN) or secure shell (SSH) protocol.  

First observed in February 2024, the cluster increased activity in May through July, with most campaigns leading to Xworm, a remote access trojan (RAT), in recent months.  

In most campaigns, messages contain a URL or attachment leading to an internet shortcut (.URL) file. When executed, it establishes a connection to an external file share, typically via WebDAV, to download an LNK or VBS file. When executed, the LNK/VBS executes a BAT or CMD file that downloads a Python installer package and a series of Python scripts leading to malware installation. In some cases, file staging leverages the search-ms protocol handler to retrieve the LNK from a WebDAV share. Typically in campaigns, a benign PDF is displayed to the user to appear legitimate.   

In June and July, nearly all observed campaigns delivered Xworm, but previous campaigns also delivered AsyncRAT, VenomRAT, GuLoader, and Remcos. Some campaigns will lead to multiple different malware payloads, with each unique Python script leading to the installation of a different malware. 

Malware observed in related campaigns leveraging “trycloudflare” tunnels.  

Malware observed in related campaigns leveraging “trycloudflare” tunnels.  

Campaign message volumes range from hundreds to tens of thousands of messages impacting dozens to thousands of organizations globally. In addition to English, researchers observed French, Spanish, and German language lures. Xworm, AsyncRAT, and VenomRAT campaigns are often higher volume than campaigns delivering Remcos or GuLoader. Lure themes vary, but typically include business-relevant topics like invoices, document requests, package deliveries, and taxes.  

While the tactics, techniques and procedures (TTPs) of the campaigns remain consistent, the threat actor does appear to modify different parts of the attack chain to increase sophistication and defense evasion. For example, initial campaigns used little to no obfuscation in their helper scripts. The scripts often included detailed comments about the functionality of the code. However, this changed in June when the threat actors began to incorporate obfuscation in their code. 

Helper script without obfuscation (May 2024 campaign example).

Helper script without obfuscation (May 2024 campaign example). 

Helper script with obfuscation (June 2024 campaign example).  

Helper script with obfuscation (June 2024 campaign example).

Threat actor abuse of TryCloudflare tunnels became popular in 2023 and appears to be increasing among cybercriminal threat actors. Each use of TryCloudflare Tunnels will generate a random subdomain on trycloudflare[.]com, for example ride-fatal-italic-information[.]trycloudflare[.]com. Traffic to the subdomains is proxied through Cloudflare to the operators’ local server. 

Campaign examples 

AsyncRAT / Xworm Campaign 28 May 2024 

Proofpoint observed a campaign on 28 May 2024 delivering AsyncRAT and Xworm. In this campaign, tax-themed messages contained URLs leading to a zipped .URL file. The campaign targeted organizations in law and finance and included less than 50 total messages. 

Figure: 28 May 2024 email lure using 2023 tax themes.

28 May 2024 email lure using 2023 tax themes.  

The .URL file pointed to a remote .LNK file. If executed, it led to a CMD helper script which called PowerShell to download a zipped Python package and Python scripts. The Python package and scripts led to the installation of AsyncRAT and Xworm. 

28 May 2024 Attack Chain

28 May 2024 attack chain  

AsyncRAT / Xworm Campaign 11 July 2024 

Researchers observed another campaign leveraging Cloudflare tunnels to distribute AsyncRAT and Xworm on 11 July 2024. This campaign included over 1,500 messages targeting organizations in finance, manufacturing, technology and others. 

July 11 lure using order invoicing themes.

July 11 lure using order invoicing themes. 

Interestingly, in this campaign messages contained HTML attachments with a search-ms query which pointed to a LNK file. If executed, it led to an obfuscated BAT file which invoked PowerShell to download a Python installer package and scripts to run AsyncRAT and Xworm. 

11 July 2024 attack chain.

11 July 2024 attack chain. 

Attribution 

Based on the tactics, techniques and procedures (TTPs) observed in campaigns, Proofpoint assesses they can be attributed to one cluster of related activity. Researchers have not attributed a specific threat actor to this activity, but research is ongoing.  

Why it matters  

The use of Cloudflare tunnels provide the threat actors a way to use temporary infrastructure to scale their operations providing flexibility to build and take down instances in a timely manner. This makes it harder for defenders and traditional security measures such as relying on static blocklists. Temporary Cloudflare instances allow attackers a low-cost method to stage attacks with helper scripts, with limited exposure for detection and takedown efforts. 

Attackers’ use of Python scripts for malware delivery is notable. Packaging Python libraries and an executable installer alongside the Python scripts ensures the malware can be downloaded and run on hosts that did not previously have Python installed. Organizations should restrict the use of Python if it is not required for individuals’ job functions. This is not the first-time researchers have observed software packages delivered alongside malware files. In recent months Proofpoint has observed campaigns delivering Java-based malware that bundle a JAR and the Java Runtime Environment (JRE) inside a ZIP to ensure the correct software is installed before executing the downloader or dropper. 

The attack chain requires significant victim interaction in order to detonate the final payload, including clicking on the malicious link, double clicking on multiple files such as the LNK or VBS files, and unzipping compressed scripts. This gives the recipient multiple opportunities to identify suspicious activity and disrupt the attack chain before successful execution.  

Threat actors are increasingly using WebDAV and Server Message Block (SMB) for payload staging and delivery as the cybercriminal ecosystem continues to experiment with different TTPs. Organizations should restrict access to external file sharing services to only known, safelisted servers.  

Emerging Threats signatures 

The Emerging Threats ruleset contains detections for the malware identified in these campaigns. 

Examples: 

2853193 | ETPRO MALWARE Win32/Xworm V3 CnC Command – PING Outbound 

2852870 | ETPRO MALWARE Win32/Xworm CnC Checkin – Generic Prefix Bytes 

2852923 | ETPRO MALWARE Win32/Xworm CnC Checkin – Generic Prefix Bytes (Client) 

2855924 | ETPRO MALWARE Win32/Xworm V3 CnC Command – PING Outbound 

2857507 | ETPRO ATTACK_RESPONSE Suspicious HTML Serving Abused URL Linking Method Observed 

Example Indicators of Compromise 

Indicator 

Description 

First Observed 

spectrum-exactly-knitting-rural[.]trycloudflare[.]com 

Trycloudflare Host 

May 2024 

53c32ea384894526992d010c0c49ffe250d600b9b4472cce86bbd0249f88eada 

.URL SHA256 

May 2024 

a79fbad625a5254d4f7f39461c2d687a1937f3f83e184bd62670944462b054f7 

LNK SHA256 

May 2024 

0f1118b30b2da0b6e82f95d9bbf87101d8298a85287f4de58c9655eb8fecd3c6 

CMD SHA256 

May 2024 

157[.]20[.]182[.]172 

Xworm C2 IP 

May 2024 

dcxwq1[.]duckdns[.]org 

AsyncRAT C2 

May 2024 

a40f194870b54aeb102089108ecf18b3af9b449066a240f0077ff4edbb556e81 

HTML SHA256 

July 2024 

3867de6fc23b11b3122252dcebf81886c25dba4e636dd1a3afed74f937c3b998 

LNK SHA256 

July 2024 

ride-fatal-italic-information[.]trycloudflare[.]com 

Trycloudflare Host 

July 2024 

0fccf3d1fb38fa337baf707056f97ef011def859901bb922a4d0a1f25745e64f 

BAT SHA256 

July 2024 

todfg[.]duckdns[.]org 

AsyncRAT C2 

July 2024 

welxwrm[.]duckdns[.]org 

Xworm C2 

July 2024 

xwor3july[.]duckdns[.]org 

Xworm C2 

July 2024