https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats Skip to main content English (Americas) Search Login * Products * Solutions * Resources Proofpoint Contact Search * Products * Solutions * Partners * Resources * Company Search Login English (Americas) Products Solutions Partners Resources Company Protect People Multi-layered, adaptive defenses for threat detection, impersonation, and supplier risk. Email Security Impersonation Protection More products Defend Data Transform your information protection with a human-centric, omni-channel approach. Enterprise DLP Adaptive Email DLP Insider Threat Management Intelligent Compliance Mitigate Human Risk Unlock full user risk visibility and drive behavior change. Security Awareness Augment Your Capabilities Managed Services Product Packages More Protect People Products Account Take-Over and Identity Protection Secure vulnerable identities, stop lateral movement and privilege escalation. Adaptive Email Security Stop more threats with a fully integrated layer of behavioral AI. Secure Email Relay Secure your application email and accelerate DMARC implementation Solutions by Use Case How Proofpoint protects your people and data. Authenticate Your Email Protect your email deliverability with DMARC. Combat Email and Cloud Threats Protect your people from email and cloud threats with an intelligent and holistic approach. More use cases Solutions by Industry People-centric solutions for your organization. Federal Government Cybersecurity for federal government agencies. State and Local Government Protecting the public sector, and the public from cyber threats. More industries Comparing Proofpoint Evaluating cybersecurity vendors? Check out our side-by-side comparisons. View comparisons Solutions By Use Case How Proofpoint protects your people and data. Change User Behavior Help your employees identify, resist and report attacks before the damage is done. Combat Data Loss and Insider Risk Prevent data loss via negligent, compromised and malicious insiders. Modernize Compliance and Archiving Manage risk and data retention needs with a modern compliance and archiving solution. Protect Cloud Apps Keep your people and their cloud apps secure by eliminating threats and data loss. Prevent Loss from Ransomware Learn about this growing threat and stop attacks by securing ransomware's top vector: email. Secure Microsoft 365 Implement the best security and compliance solution for Microsoft 365. Solutions By Industry People-centric solutions for your organization. Higher Education A higher level of security for higher education. Financial Services Eliminate threats, build trust and foster growth for your organization. Healthcare Protect clinicians, patient data, and your intellectual property against advanced threats. Mobile Operators Make your messaging environment a secure environment. Internet Service Providers Cloudmark email protection. Small and Medium Businesses Big-time security for small business. Proofpoint vs. the competition Side-by-side comparisons. Proofpoint vs. Abnormal Security Proofpoint vs. Mimecast Proofpoint vs. Cisco Proofpoint vs. Microsoft Purview Proofpoint vs. Legacy DLP Partners Deliver Proofpoint solutions to your customers. Channel Partners Archive Extraction Partners Learn about Extraction Partners. GSI and MSP Partners Learn about our global consulting. Technology and Alliance Partners Learn about our relationships. Social Media Protection Partners Learn about the technology and.... Proofpoint Essentials Partner Programs Small Business Solutions . Become a Channel Partner Resources Find reports, webinars, blogs, events, podcasts and more. Resource Library Blog Keep up with the latest news and happenings. Webinars Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Cybersecurity Academy Earn your certification to become a Proofpoint Certified Guardian. Podcasts Learn about the human side of cybersecurity. New Perimeters Magazine Get the latest cybersecurity insights in your hands. Threat Glossary Learn about the latest security threats. Events Connect with us at events to learn how to protect your people and data from ever-evolving threats. Customer Stories Read how our customers solve their most pressing cybersecurity challenges. Company Proofpoint protects organizations' greatest assets and biggest risks: their people. About Proofpoint Why Proofpoint Learn about our unique people-centric approach to protection. Careers Stand out and make a difference at one of the world's leading cybersecurity companies. News Center Read the latest press releases, news stories and media highlights about Proofpoint. Privacy and Trust Learn about how we handle data and make commitments to privacy and other regulations. Environmental, Social, and Governance Learn how we apply our principles to positively impact our community. Support Access the full range of Proofpoint support services. Search Proofpoint [ ] [SUBMIT] Try searching for Email Security Phishing DLP Email Fraud Select Product Login * Support Log-in * Proofpoint Cybersecurity Academy * Digital Risk Portal * Email Fraud Defense * ET Intelligence * Proofpoint Essentials * Sendmail Support Log-in Select Language * English (Americas) * English (Europe, Middle East, Africa) * English (Asia-Pacific) * Espanol * Deutsch * Francais * Italiano * Portugues * Ri Ben Yu * hangugeo Blog Threat Insight Threat Actor Abuses Cloudflare Tunnels to Deliver RATs Connect dots Threat Actor Abuses Cloudflare Tunnels to Deliver RATs Share with your network! August 01, 2024 Joe Wise, Selena Larson, and the Proofpoint Threat Research Team Key findings * Proofpoint has observed an increase in malware delivery via TryCloudflare Tunnel abuse. * The activity is financially motivated and delivers exclusively remote access trojans (RATs). * Since initial observation, the threat activity set behind the campaigns has modified tactics, techniques, and procedures in attempts to bypass detection and improve efficacy. * Proofpoint does not attribute this activity to a tracked TA, but research is ongoing. Overview Proofpoint is tracking a cluster of cybercriminal threat activity leveraging Cloudflare Tunnels to deliver malware. Specifically, the activity abuses the TryCloudflare feature that allows an attacker to create a one-time tunnel without creating an account. Tunnels are a way to remotely access data and resources that are not on the local network, like using a virtual private network (VPN) or secure shell (SSH) protocol. First observed in February 2024, the cluster increased activity in May through July, with most campaigns leading to Xworm, a remote access trojan (RAT), in recent months. In most campaigns, messages contain a URL or attachment leading to an internet shortcut (.URL) file. When executed, it establishes a connection to an external file share, typically via WebDAV, to download an LNK or VBS file. When executed, the LNK/VBS executes a BAT or CMD file that downloads a Python installer package and a series of Python scripts leading to malware installation. In some cases, file staging leverages the search-ms protocol handler to retrieve the LNK from a WebDAV share. Typically in campaigns, a benign PDF is displayed to the user to appear legitimate. In June and July, nearly all observed campaigns delivered Xworm, but previous campaigns also delivered AsyncRAT, VenomRAT, GuLoader, and Remcos. Some campaigns will lead to multiple different malware payloads, with each unique Python script leading to the installation of a different malware. Malware observed in related campaigns leveraging "trycloudflare" tunnels. Malware observed in related campaigns leveraging "trycloudflare" tunnels. Campaign message volumes range from hundreds to tens of thousands of messages impacting dozens to thousands of organizations globally. In addition to English, researchers observed French, Spanish, and German language lures. Xworm, AsyncRAT, and VenomRAT campaigns are often higher volume than campaigns delivering Remcos or GuLoader. Lure themes vary, but typically include business-relevant topics like invoices, document requests, package deliveries, and taxes. While the tactics, techniques and procedures (TTPs) of the campaigns remain consistent, the threat actor does appear to modify different parts of the attack chain to increase sophistication and defense evasion. For example, initial campaigns used little to no obfuscation in their helper scripts. The scripts often included detailed comments about the functionality of the code. However, this changed in June when the threat actors began to incorporate obfuscation in their code. Helper script without obfuscation (May 2024 campaign example). Helper script without obfuscation (May 2024 campaign example). Helper script with obfuscation (June 2024 campaign example). Helper script with obfuscation (June 2024 campaign example). Threat actor abuse of TryCloudflare tunnels became popular in 2023 and appears to be increasing among cybercriminal threat actors. Each use of TryCloudflare Tunnels will generate a random subdomain on trycloudflare[.]com, for example ride-fatal-italic-information[.] trycloudflare[.]com. Traffic to the subdomains is proxied through Cloudflare to the operators' local server. Campaign examples AsyncRAT / Xworm Campaign 28 May 2024 Proofpoint observed a campaign on 28 May 2024 delivering AsyncRAT and Xworm. In this campaign, tax-themed messages contained URLs leading to a zipped .URL file. The campaign targeted organizations in law and finance and included less than 50 total messages. Figure: 28 May 2024 email lure using 2023 tax themes. 28 May 2024 email lure using 2023 tax themes. The .URL file pointed to a remote .LNK file. If executed, it led to a CMD helper script which called PowerShell to download a zipped Python package and Python scripts. The Python package and scripts led to the installation of AsyncRAT and Xworm. 28 May 2024 Attack Chain 28 May 2024 attack chain AsyncRAT / Xworm Campaign 11 July 2024 Researchers observed another campaign leveraging Cloudflare tunnels to distribute AsyncRAT and Xworm on 11 July 2024. This campaign included over 1,500 messages targeting organizations in finance, manufacturing, technology and others. July 11 lure using order invoicing themes. July 11 lure using order invoicing themes. Interestingly, in this campaign messages contained HTML attachments with a search-ms query which pointed to a LNK file. If executed, it led to an obfuscated BAT file which invoked PowerShell to download a Python installer package and scripts to run AsyncRAT and Xworm. 11 July 2024 attack chain. 11 July 2024 attack chain. Attribution Based on the tactics, techniques and procedures (TTPs) observed in campaigns, Proofpoint assesses they can be attributed to one cluster of related activity. Researchers have not attributed a specific threat actor to this activity, but research is ongoing. Why it matters The use of Cloudflare tunnels provide the threat actors a way to use temporary infrastructure to scale their operations providing flexibility to build and take down instances in a timely manner. This makes it harder for defenders and traditional security measures such as relying on static blocklists. Temporary Cloudflare instances allow attackers a low-cost method to stage attacks with helper scripts, with limited exposure for detection and takedown efforts. Attackers' use of Python scripts for malware delivery is notable. Packaging Python libraries and an executable installer alongside the Python scripts ensures the malware can be downloaded and run on hosts that did not previously have Python installed. Organizations should restrict the use of Python if it is not required for individuals' job functions. This is not the first-time researchers have observed software packages delivered alongside malware files. In recent months Proofpoint has observed campaigns delivering Java-based malware that bundle a JAR and the Java Runtime Environment (JRE) inside a ZIP to ensure the correct software is installed before executing the downloader or dropper. The attack chain requires significant victim interaction in order to detonate the final payload, including clicking on the malicious link, double clicking on multiple files such as the LNK or VBS files, and unzipping compressed scripts. This gives the recipient multiple opportunities to identify suspicious activity and disrupt the attack chain before successful execution. Threat actors are increasingly using WebDAV and Server Message Block (SMB) for payload staging and delivery as the cybercriminal ecosystem continues to experiment with different TTPs. Organizations should restrict access to external file sharing services to only known, safelisted servers. Emerging Threats signatures The Emerging Threats ruleset contains detections for the malware identified in these campaigns. Examples: 2853193 | ETPRO MALWARE Win32/Xworm V3 CnC Command - PING Outbound 2852870 | ETPRO MALWARE Win32/Xworm CnC Checkin - Generic Prefix Bytes 2852923 | ETPRO MALWARE Win32/Xworm CnC Checkin - Generic Prefix Bytes (Client) 2855924 | ETPRO MALWARE Win32/Xworm V3 CnC Command - PING Outbound 2857507 | ETPRO ATTACK_RESPONSE Suspicious HTML Serving Abused URL Linking Method Observed Example Indicators of Compromise +-----------------------------------------------------------------------------------------+ |Indicator |Description |First | | | |Observed | |-----------------------------------------------------------------+-------------+---------| |spectrum-exactly-knitting-rural[.]trycloudflare[.]com |Trycloudflare|May 2024 | | |Host | | |-----------------------------------------------------------------+-------------+---------| |53c32ea384894526992d010c0c49ffe250d600b9b4472cce86bbd0249f88eada |.URL SHA256 |May 2024 | |-----------------------------------------------------------------+-------------+---------| |a79fbad625a5254d4f7f39461c2d687a1937f3f83e184bd62670944462b054f7 |LNK SHA256 |May 2024 | |-----------------------------------------------------------------+-------------+---------| |0f1118b30b2da0b6e82f95d9bbf87101d8298a85287f4de58c9655eb8fecd3c6 |CMD SHA256 |May 2024 | |-----------------------------------------------------------------+-------------+---------| |157[.]20[.]182[.]172 |Xworm C2 IP |May 2024 | |-----------------------------------------------------------------+-------------+---------| |dcxwq1[.]duckdns[.]org |AsyncRAT C2 |May 2024 | |-----------------------------------------------------------------+-------------+---------| |a40f194870b54aeb102089108ecf18b3af9b449066a240f0077ff4edbb556e81 |HTML SHA256 |July | | | |2024 | |-----------------------------------------------------------------+-------------+---------| |3867de6fc23b11b3122252dcebf81886c25dba4e636dd1a3afed74f937c3b998 |LNK SHA256 |July | | | |2024 | |-----------------------------------------------------------------+-------------+---------| |ride-fatal-italic-information[.]trycloudflare[.]com |Trycloudflare|July | | |Host |2024 | |-----------------------------------------------------------------+-------------+---------| |0fccf3d1fb38fa337baf707056f97ef011def859901bb922a4d0a1f25745e64f |BAT SHA256 |July | | | |2024 | |-----------------------------------------------------------------+-------------+---------| |todfg[.]duckdns[.]org |AsyncRAT C2 |July | | | |2024 | |-----------------------------------------------------------------+-------------+---------| |welxwrm[.]duckdns[.]org |Xworm C2 |July | | | |2024 | |-----------------------------------------------------------------+-------------+---------| |xwor3july[.]duckdns[.]org |Xworm C2 |July | | | |2024 | +-----------------------------------------------------------------------------------------+ Previous Blog Post Subscribe to the Proofpoint Blog Products * Protect People * Defend Data * Mitigate Human Risk * Premium Services Get Support * Product Support Login * Support Services * IP Address Blocked? Connect with Us * +1-408-517-4710 * Attend an Event * Contact Us * Free Demo Request More * About Proofpoint * Why Proofpoint * Careers * Leadership Team * News Center * Privacy and Trust (c) 2024. All rights reserved. Terms and conditions Privacy Policy Sitemap * * * * * *