Categories: CyberSecurityNews

Threat Actors Abusing Cloudflare Workers Service To Deliver Weaponized Application


A sophisticated attack campaign leveraging Cloudflare’s Workers service to distribute malicious applications disguised as legitimate software.

The Computer Emergency Response Team of Ukraine (CERT-UA) reported on December 17, 2024, that several web resources imitating the official “Army+” application page were detected, all published using Cloudflare Workers.

The malicious websites prompt unsuspecting users to download an executable file named “ArmyPlusInstaller-v.0.10.23722.exe,” though the filename may vary.

Upon investigation, this file was revealed to be an NSIS (Nullsoft Scriptable Install System) installer containing a decoy .NET file, Python interpreter files, Tor program files, and a PowerShell script named “init.ps1”.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

When executed, the installer launches a decoy file alongside the PowerShell script, which performs several malicious actions:

  1. Installs an OpenSSH server on the victim’s computer.
  2. Generates an RSA key pair.
  3. Adds a public key to the “authorized_keys” file for authentication.
  4. Sends the private key to the attackers’ server (a Tor address) using curl.
  5. Publishes a hidden SSH service using Tor.

This sophisticated setup creates a covert backdoor, allowing attackers to access the compromised system remotely.

CERT-UA has attributed this campaign to the threat actor known as UAC-0125, which they believe is associated with the notorious UAC-0002 cluster, also known as APT44 or Sandworm.

This Russian state-sponsored group has a history of targeting Ukrainian critical infrastructure and government entities.

The abuse of Cloudflare Workers for malicious purposes is part of a growing trend. Fortra, a cybersecurity firm, reported a 104% increase in phishing attacks leveraging Cloudflare Workers in 2024 compared to the previous year.

Threat actors are exploiting the platform’s strong reputation and trusted branding to create convincing phishing pages and bypass security controls. This latest campaign represents an evolution in the tactics employed by UAC-0125.

Earlier in 2024, the group primarily used compromised Microsoft Office files as the initial attack vector, containing trojanized components that would execute malicious PowerShell commands.

The discovery of this campaign underscores the need for heightened vigilance when downloading applications, even from seemingly legitimate sources.

Organizations and individuals are advised to implement robust security measures, including multi-factor authentication, regular system updates, and employee training on identifying phishing attempts.

As threat actors continue to innovate and exploit trusted platforms, the cybersecurity community must remain vigilant and adaptive in their defense strategies to protect against these evolving threats.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free



Source link

Cybernoz

Share
Published by
Cybernoz

Recent Posts

Exposing ‘Anom” – Inside The FBI’s Secret Encrypted Phone Company

Joseph Cox, author of the 2024 book “Dark Wire: The Incredible True Story of the… Read More

2 minutes ago

Juniper Warns of Mirai Botnet Targeting SSR Devices with Default Passwords

Dec 19, 2024Ravie LakshmananMalware / Botnet Juniper Networks is warning that Session Smart Router (SSR)… Read More

5 minutes ago

Juniper Warns of Mirai Botnet Targeting SSR Devices with Default Passwords

Dec 19, 2024Ravie LakshmananMalware / Botnet Juniper Networks is warning that Session Smart Router (SSR)… Read More

5 minutes ago

CCS cloud hosting deal with AWS under scrutiny as contract value soars by 89% after 15 months

The Crown Commercial Service’s (CCS) decision to increase its cloud hosting spend with Amazon Web… Read More

6 minutes ago

Hikvision Camera Driver Vulnerability Records Login details in Log files

A newly disclosed security vulnerability, tracked under CVE-2024-12569, has been identified in Hikvision camera drivers… Read More

29 minutes ago

Hackers Weaponizing LNK Files To Create Scheduled Task And Deliver Malware Payload

TA397, also known as Bitter, targeted a Turkish defense organization with a spearphishing email containing… Read More

37 minutes ago