Threat Actors Abusing Cloudflare Workers Service To Deliver Weaponized Application

A sophisticated attack campaign leveraging Cloudflare’s Workers service to distribute malicious applications disguised as legitimate software.

The Computer Emergency Response Team of Ukraine (CERT-UA) reported on December 17, 2024, that several web resources imitating the official “Army+” application page were detected, all published using Cloudflare Workers.

The malicious websites prompt unsuspecting users to download an executable file named “ArmyPlusInstaller-v.0.10.23722.exe,” though the filename may vary.

Upon investigation, this file was revealed to be an NSIS (Nullsoft Scriptable Install System) installer containing a decoy .NET file, Python interpreter files, Tor program files, and a PowerShell script named “init.ps1”.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

When executed, the installer launches a decoy file alongside the PowerShell script, which performs several malicious actions:

1. Installs an OpenSSH server on the victim’s computer.
2. Generates an RSA key pair.
3. Adds a public key to the “authorized_keys” file for authentication.
4. Sends the private key to the attackers’ server (a Tor address) using curl.
5. Publishes a hidden SSH service using Tor.

This sophisticated setup creates a covert backdoor, allowing attackers to access the compromised system remotely.

CERT-UA has attributed this campaign to the threat actor known as UAC-0125, which they believe is associated with the notorious UAC-0002 cluster, also known as APT44 or Sandworm.

This Russian state-sponsored group has a history of targeting Ukrainian critical infrastructure and government entities.

The abuse of Cloudflare Workers for malicious purposes is part of a growing trend. Fortra, a cybersecurity firm, reported a 104% increase in phishing attacks leveraging Cloudflare Workers in 2024 compared to the previous year.

Threat actors are exploiting the platform’s strong reputation and trusted branding to create convincing phishing pages and bypass security controls. This latest campaign represents an evolution in the tactics employed by UAC-0125.

Earlier in 2024, the group primarily used compromised Microsoft Office files as the initial attack vector, containing trojanized components that would execute malicious PowerShell commands.

The discovery of this campaign underscores the need for heightened vigilance when downloading applications, even from seemingly legitimate sources.

Organizations and individuals are advised to implement robust security measures, including multi-factor authentication, regular system updates, and employee training on identifying phishing attempts.

As threat actors continue to innovate and exploit trusted platforms, the cybersecurity community must remain vigilant and adaptive in their defense strategies to protect against these evolving threats.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free