Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using spearphishing emails with malicious HTML attachments to deliver GammaLoad malware. 

To evade detection, BlueAlpha is leveraging Cloudflare Tunnels to conceal their infrastructure and using DNS fast-fluxing for their C2 servers, as this ongoing campaign, active since early 2024, highlights the persistent threat posed by Russian cyber actors.

Researchers discovered BlueAlpha abusing free Cloudflare Tunnels to hide their GammaDrop malware staging infrastructure, which is created using randomly generated subdomains and acts as proxies to the actual server. 

This technique is gaining popularity among attackers due to its ease of use and low cost. BlueAlpha leverages tunnels to deliver GammaDrop malware via malicious .lnk files, which highlights a recent trend of attackers using Cloudflare Tunnels to evade detection, as previously observed with RATs like AsyncRAT. 

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

Attackers switched from using the onmousemove event to the onerror event in an img tag to trigger deobfuscation of malicious JavaScript within an XHTML attachment and also added a message indicating file download completion. 

The JavaScript checks the OS, decodes a smuggled archive, downloads it, and fetches a tracking pixel from a different location than the GammaDrop staging server, potentially revealing an IP address. 

A malicious HTA file is downloaded and executed from the staging server using a shortcut file that is contained within the archive, which makes use of the mshta.exe program. 

BlueAlpha attackers use GammaDrop, an obfuscated HTA payload, to deploy GammaLoad, a custom VBScript backdoor, where GammaDrop writes GammaLoad to the user profile directory and sets persistence using a run key unless specific security software is running. 

It also opens a blank Word document and stores a C2 IP address in a hidden file. GammaLoad then beacons to the C2 server, sending victim information and retrieving encoded VBScript for further malicious actions. 

Several different methods, such as plain text HTTP, fast-flux DNS, and DNS over HTTPS (DoH), are utilized for communication between the two computers in order to avoid detection. 

According to Insikt Group, to defend against HTML smuggling attacks with embedded JavaScript, users should implement email security solutions that inspect and block suspicious HTML with events like “onerror” and “onmousemove.” 

Application control policies should restrict execution of “mshta.exe” and untrusted “.lnk” files. Endpoint detection should monitor “mshta.exe” activity for suspicious command-line arguments. 

Network traffic to TryCloudflare subdomains and unauthorized DoH connections should be flagged for review, while leveraging threat intelligence platforms to analyze suspicious files, monitor real-time network activity for targeted attacks and stay updated on attacker tactics and indicators of compromise.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses