Attackers leverage Cloudflare tunnels to obscure malware distribution
August 2, 2024 – Published on CSO Online
Cybercriminals regularly abuse free services to host malware or to set up command-and-control (C2) infrastructure because they know connections to such services won’t raise suspicion inside networks. Such is the case with TryCloudflare.com, which was recently abused in a widespread campaign to deliver remote access trojans (RATs).
TryCloudflare is a tunneling feature that enables users to proxy traffic through Cloudflare’s content delivery network. The recent campaigns, independently observed this year and reported this week by researchers, involved phishing emails that resulted in the download of multiple malware families, including XWorm, VenomRAT, PureLogs Stealer, AsyncRAT, GuLoader and Remcos.
Attackers behind the reported campaigns set up a server using WebDAV, a file-sharing protocol that works over HTTP and can be accessed by Windows by default, similar to an SMB network share. They use this server to host payloads and set up TryCloudflare to proxy traffic to it via a unique trycloudflare.com URL.
This is not the first time when attackers have used Cloudflare tunnels maliciously. Last year, researchers from GuidePoint Security reported investigating multiple incidents where attackers set up Cloudflare tunnels on infected machines to maintain remote access to those systems and networks without being detected.
Read More HERE.