Securonix has uncovered a malware distribution marketing campaign that abuses Cloudflare Tunnel to host payloads on attacker-controlled subdomains.
Dubbed Serpentine#Cloud, the marketing campaign depends on a fancy an infection chain involving shortcut (LNK) recordsdata and obfuscated scripts to ship a Python-based loader that may execute a Donut-packed PE payload in reminiscence.
Early assaults linked to this marketing campaign relied on URL recordsdata for payload execution, however later transitioned to utilizing BAT recordsdata, usually in ZIP archives, to fetch and execute payloads from Cloudflare tunnels.
In newer assaults, LNK recordsdata disguised as PDF paperwork have been used for payload supply. Victims are served these recordsdata through phishing emails that includes cost and bill themes, with hyperlinks to a ZIP file containing the LNK file.
Cloudflare tunnels present distant entry to assets, like VPNs, and risk actors are more and more abusing them for malware supply, because it permits them to stay nameless whereas bypassing community protections and detection, since visitors comes from a reputable service.
As a part of the Serpentine#Cloud marketing campaign, the LNK file served to potential victims was noticed triggering a fancy an infection chain that relied on robocopy to fetch a Home windows Script File (WSF) from a distant WebDAV share hosted on Cloudflare’s tunnel infrastructure, and continued with script execution through Home windows Script Host (WSH).
The an infection sequence continued with the execution of an obfuscated batch file that fetches Python-based malware, establishes persistence, hides the malware’s directories, after which executes it.
The malware is a shellcode loader that makes use of “Early Hen APC injection to stealthily execute shellcode inside a newly spawned course of”, Securonix explains. The executed shellcode resolves right into a Home windows PE file that seems to be both a typical or open supply RAT, reminiscent of AsyncRAT or RevengeRAT.Commercial. Scroll to proceed studying.
Serpentine#Cloud shouldn’t be the primary malicious operation to abuse Cloudflare tunnels for backdoor an infection. Final yr, Proofpoint flagged an analogous marketing campaign that distributed AsyncRAT, GuLoader, Remcos, VenomRAT, and Xworm.
Associated: ClickFix Assault Exploits Faux Cloudflare Turnstile to Ship Malware
Associated: In Different Information: Cloudflare Abuse, UK and EU Cybersecurity Studies, FBI Gen-AI Alert
Associated: New Ransomware With RAT Capabilities Impersonating Sophos
Associated: Microsoft Warns Accounting, Tax Return Preparation Companies of Remcos RAT Assaults
