Cybersecurity companies have noticed an increase in the misuse of Cloudflare’s TryCloudflare free service for delivering malware. This involves creating a temporary tunnel using TryCloudflare to send traffic from an attacker-controlled server to a local machine through Cloudflare’s infrastructure.
The malicious activity has been observed delivering various types of malware, including AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm. The initial attack vector is a phishing email containing a ZIP archive with a URL shortcut file that leads the recipient to a Windows shortcut file hosted on a TryCloudflare-proxied WebDAV server.
The shortcut file executes batch scripts responsible for downloading additional malicious payloads, while displaying a decoy PDF document to maintain the ruse. These scripts can bypass security monitoring tools by using direct syscalls and execute code stealthily.
The phishing lures are written in English, French, Spanish, and German, targeting organizations worldwide with email volumes ranging from hundreds to tens of thousands of messages. The themes cover various topics such as invoices, document requests, package deliveries, and taxes.
While the campaign has not been linked to a specific threat actor or group, it is considered financially motivated. The exploitation of TryCloudflare for malicious purposes was first recorded last year when Sysdig uncovered a cryptojacking and proxyjacking campaign that weaponized a now-patched critical flaw in GitLab.
To mitigate this risk, enterprises should restrict access to external file-sharing services to only known, allow-listed servers. Additionally, Cloudflare needs to review its anti-abuse policies following the exploitation of its services by cybercriminals.
Source: https://thehackernews.com/2024/08/cybercriminals-abusing-cloudflare.html?m=1