Threat Actor Abuses Cloudflare Tunnels to Deliver RATs

Aug. 1, 2024, 11:02 a.m.

Description

Proofpoint is tracking a cluster of cybercriminal threat activity leveraging Cloudflare Tunnels to deliver malware, particularly remote access trojans (RATs) like Xworm, AsyncRAT, VenomRAT, GuLoader, and Remcos. The campaigns employ various techniques, such as using URL files to establish connections and download malicious components like LNK, VBS, BAT, CMD, and Python scripts leading to malware installation. While the tactics remain consistent, the threat actor modifies parts of the attack chain to enhance sophistication and evade defenses. The use of Cloudflare tunnels provides a flexible and low-cost method for staging attacks, making detection and takedown efforts more challenging.

External References

https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats
https://otx.alienvault.com/pulse/66ab6978fa27d9966980285e
Tags
xworm
remcos
asyncrat
venomrat
guloader
rats
webdav
cloudflare
2024-08-01

Date

  • Created: Aug. 1, 2024, 10:54 a.m.
  • Published: Aug. 1, 2024, 10:54 a.m.
  • Modified: Aug. 1, 2024, 11:02 a.m.

Indicators

  • a79fbad625a5254d4f7f39461c2d687a1937f3f83e184bd62670944462b054f7
  • a40f194870b54aeb102089108ecf18b3af9b449066a240f0077ff4edbb556e81
  • 53c32ea384894526992d010c0c49ffe250d600b9b4472cce86bbd0249f88eada
  • 3867de6fc23b11b3122252dcebf81886c25dba4e636dd1a3afed74f937c3b998
  • 0fccf3d1fb38fa337baf707056f97ef011def859901bb922a4d0a1f25745e64f
  • 0f1118b30b2da0b6e82f95d9bbf87101d8298a85287f4de58c9655eb8fecd3c6
  • 157.20.182.172
  • xwor3july.duckdns.org
  • welxwrm.duckdns.org
  • todfg.duckdns.org
  • spectrum-exactly-knitting-rural.trycloudflare.com
  • ride-fatal-italic-information.trycloudflare.com
  • dcxwq1.duckdns.org
Download all indicators here!

Attack Patterns

  • VenomRAT
  • Remcos
  • XWorm
  • GuLoader - S0561
  • AsyncRAT