Cybercriminals increasingly leverage the TryCloudflare Tunnel to deliver Remote Access Trojans (RATs) in financially motivated attacks. TryCloudflare is a tool for developers to experiment with Cloudflare Tunnel without adding a site to Cloudflare’s DNS.
Threat actors continually refine tactics to evade detection and enhance campaign efficacy, complicating attribution and necessitating ongoing analysis.
They exploit Cloudflare Tunnels’ TryCloudflare feature to distribute malware, primarily Xworm RAT. By leveraging the service’s temporary nature, attackers create an ephemeral infrastructure for delivering payloads, bypassing traditional security controls.
It was initiated in February 2024 and intensified in recent months, posing a significant threat due to its rapid deployment and evasion capabilities.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
Recent campaigns deliver malware through URL links or attachments, leveraging internet shortcuts to download LNK or VBS files from WebDAV shares, which subsequently execute BAT or CMD scripts, fetching Python installers and scripts to install malware like Xworm, AsyncRAT, VenomRAT, GuLoader, or Remcos.
.webp "Hackers Abuse TryCloudflare Service To Bypass Detection & Deliver Malware 2")
Some campaigns employ a search-ms protocol handler for LNK retrieval and often disguise malicious activity with benign PDFs.
While Xworm dominates current campaigns, the versatile delivery method allows for diverse malware payloads, with individual Python scripts potentially installing different threats.
A threat actor is conducting high-volume email campaigns targeting global organizations with lures in multiple languages by delivering various Remote Access Trojans (RATs) like Xworm, AsyncRAT, and VenomRAT, often exceeding the volume of Remcos and GuLoader campaigns.
While leveraging consistent TTPs, the actor dynamically adapts the attack chain, including the recent obfuscation of helper scripts, to evade defenses and maintain operational security, indicating a sophisticated and persistent threat.
.webp "Hackers Abuse TryCloudflare Service To Bypass Detection & Deliver Malware 3")
Cybercriminals increasingly abuse TryCloudflare tunnels to host malicious infrastructure, which generates random subdomains on trycloudflare.com, routing traffic through Cloudflare to the attacker’s local server, evading traditional security measures and complicating threat detection.
On May 28, 2024, a targeted email campaign using tax-themed lures delivered AsyncRAT and Xworm malware to law and finance firms. The malicious emails contained URLs linking to zipped URL files, which in turn pointed to remote.LNK files.
Executing these files triggered a PowerShell script to download a Python package and scripts, which installed AsyncRAT and Xworm, providing attackers with remote system access and data exfiltration capabilities.
.webp "Hackers Abuse TryCloudflare Service To Bypass Detection & Deliver Malware 4")
According to Proofpoint, on July 11, 2024, a cyberattack campaign targeting finance, manufacturing, and technology sectors leveraged Cloudflare tunnels to distribute AsyncRAT and Xworm malware.
Over 1,500 emails, themed as order invoices, contained HTML attachments with a search-ms query linking to a malicious LNK file.
Executing this file triggered an obfuscated BAT script that downloaded a Python installer package, ultimately installing AsyncRAT and Xworm via PowerShell.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access