The state-sponsored cyber threat group BlueAlpha has been active since at least 2014 and has recently upgraded its malware delivery system to leverage Cloudflare Tunnels to stage GammaDrop malware.
BlueAlpha has been observed employing spear phishing to distribute malicious HTML smuggling files that execute the GammaDrop and GammaLoad malware variants.
HTML smuggling allows malware to be delivered via embedded JavaScript in HTML attachments. BlueAlpha has improved this technique by making subtle changes to evade detection.
BlueAlpha’s use of a domain name system (DNS) that is fast-fluxing in GammaLoad command-and-control (C2) infrastructure complicates tracking and disrupts communication in maintaining access to compromised networks.
With relatively minor changes to tooling and infrastructure, this campaign has been running since at least early 2024 and has largely maintained its techniques, tactics, and procedures (TTPs).
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
BlueAlpha Abusing Cloudflare Tunneling Service
Cloudflare provides the tunneling service for free via the TryCloudflare tool. Anyone can use the tool to construct a tunnel using a randomly generated trycloudflare.com subdomain, and all queries to that subdomain will be proxied to the web server on that host via the Cloudflare network.
BlueAlpha uses this to hide the staging infrastructure used to deliver GammaDrop.“BlueAlpha has leveraged Cloudflare Tunnels as part of its GammaDrop staging infrastructure, allowing it to effectively evade traditional network detection mechanisms and further complicate efforts to identify and block its activities”, Recorded Future’s Insikt Group shared with Cyber Security News.
The malware suite used by BlueAlpha is essential to its campaigns:
GammaDrop: It serves as a dropper, writing GammaLoad to disk while assuring persistence.
GammaLoad: A custom loader capable of beaconing to its C2 and running additional malware.
GammaLoad is a custom VBScript malware that BlueAlpha has been delivering since at least October 2023. It allows credential theft, data exfiltration, and persistent access to targeted networks.
According to researchers, BlueAlpha complicates investigation by using obfuscation tactics such as large amounts of junk code and random variable names.
BlueAlpha is a state-sponsored cyber threat organization that operates under the direction of the Russian Federal Security Service (FSB). It overlaps with the previously reported groups Gamaredon, Shuckworm, Hive0051, and UNC530.
Since at least 2014, BlueAlpha has been actively distributing custom malware by targeting Ukrainian enterprises with persistent spear phishing attacks.
Mitigation
- Implement tools to examine and prevent HTML smuggling. Attachments with suspicious HTML events, such as onerror, should be flagged.
- Place application control rules into place to prevent malicious use of untrusted .lnk files and mshta.exe.
- Create rules to identify unauthorized DNS-over-HTTPS (DoH) connections and queries to trycloudflare.com subdomains.
To avoid these complex threats, organizations must maintain vigilance and make investments in cutting-edge detection and response capabilities.
Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses