Threat Actor Abuses Cloudflare Tunnels to Deliver RATs
Aug. 1, 2024, 11:02 a.m.
Tags
External References
Description
Proofpoint is tracking a cluster of cybercriminal threat activity leveraging Cloudflare Tunnels to deliver malware, particularly remote access trojans (RATs) like Xworm, AsyncRAT, VenomRAT, GuLoader, and Remcos. The campaigns employ various techniques, such as using URL files to establish connections and download malicious components like LNK, VBS, BAT, CMD, and Python scripts leading to malware installation. While the tactics remain consistent, the threat actor modifies parts of the attack chain to enhance sophistication and evade defenses. The use of Cloudflare tunnels provides a flexible and low-cost method for staging attacks, making detection and takedown efforts more challenging.
Date
Published: Aug. 1, 2024, 10:54 a.m.
Created: Aug. 1, 2024, 10:54 a.m.
Modified: Aug. 1, 2024, 11:02 a.m.
Indicators
a79fbad625a5254d4f7f39461c2d687a1937f3f83e184bd62670944462b054f7
a40f194870b54aeb102089108ecf18b3af9b449066a240f0077ff4edbb556e81
53c32ea384894526992d010c0c49ffe250d600b9b4472cce86bbd0249f88eada
3867de6fc23b11b3122252dcebf81886c25dba4e636dd1a3afed74f937c3b998
0fccf3d1fb38fa337baf707056f97ef011def859901bb922a4d0a1f25745e64f
0f1118b30b2da0b6e82f95d9bbf87101d8298a85287f4de58c9655eb8fecd3c6
157.20.182.172
xwor3july.duckdns.org
welxwrm.duckdns.org
todfg.duckdns.org
spectrum-exactly-knitting-rural.trycloudflare.com
ride-fatal-italic-information.trycloudflare.com
dcxwq1.duckdns.org
Attack Patterns
VenomRAT
Remcos
XWorm
GuLoader - S0561
AsyncRAT
T1086
T1528
T1193
T1608
T1064
T1583
T1489
T1574
T1547
T1082
T1105
T1083
T1071
T1055
T1204
T1027
T1566
T1090
T1059