TLDR:
– Cybercriminals are using TryCloudflare to deliver malware, specifically Remote Access Trojans like Xworm RAT.
– The attackers are able to bypass traditional security controls by exploiting the temporary nature of TryCloudflare, creating an ephemeral infrastructure for delivering payloads.
Cybercriminals have been abusing the TryCloudflare service to deliver malware, specifically Remote Access Trojans (RATs) like Xworm RAT. By leveraging the temporary nature of TryCloudflare, attackers are able to create an infrastructure for delivering payloads that bypass traditional security controls. Recent campaigns have been observed delivering malware through URL links or attachments, utilizing internet shortcuts to download files that ultimately install malware on victims’ systems.
One notable campaign involved a high-volume email campaign targeting global organizations with lures in multiple languages, delivering various RATs like AsyncRAT, VenomRAT, and GuLoader. The threat actor behind these campaigns adapts their attack chain to evade detection, indicating a sophisticated and persistent threat.
Proofpoint reported a specific cyberattack campaign targeting finance, manufacturing, and technology sectors that leveraged Cloudflare tunnels to distribute malware. Over 1,500 emails were sent with HTML attachments containing malicious files that, once executed, installed malware on victims’ systems.
Overall, the abuse of TryCloudflare by cybercriminals poses a significant threat due to its ability to bypass traditional security measures and evade detection. Organizations should remain vigilant and deploy necessary security measures to protect against these types of attacks.