Abuse of Cloudflare Tunnel Service for Malware Campaigns Delivering RATs

 

Researchers have raised alarms over cybercriminals increasingly exploiting the Cloudflare Tunnel service in malware campaigns that predominantly distribute remote access trojans (RATs). This malicious activity, first detected in February, utilizes the TryCloudflare free service to disseminate multiple RATs, including AsyncRAT, GuLoader, VenomRAT, Remcos RAT, and Xworm. Cloudflare Tunnel service allows users to proxy traffic through an encrypted tunnel to access local services and servers over the internet without exposing IP addresses. 

This service is designed to offer added security and convenience by eliminating the need to open public inbound ports or set up VPN connections. With TryCloudflare, users can create temporary tunnels to local servers and test the service without requiring a Cloudflare account. However, threat actors have abused this feature to gain remote access to compromised systems while evading detection. A recent report from cybersecurity company Proofpoint observed that malware campaigns are targeting organizations in the law, finance, manufacturing, and technology sectors with malicious .LNK files hosted on the legitimate TryCloudflare domain. The attackers lure targets with tax-themed emails containing URLs or attachments leading to the LNK payload. 

Once launched, the payload runs BAT or CMD scripts that deploy PowerShell, culminating in the download of Python installers for the final payload. Proofpoint reported that an email distribution wave starting on July 11 sent out over 1,500 malicious messages, a significant increase from an earlier wave on May 28, which contained fewer than 50 messages. Hosting LNK files on Cloudflare offers several advantages to cybercriminals, including making the traffic appear legitimate due to Cloudflare’s reputation. 

Additionally, the TryCloudflare Tunnel feature provides anonymity, and the temporary nature of the subdomains makes it challenging for defenders to block them effectively. The use of Cloudflare’s service is not only free and reliable but also allows cybercriminals to avoid the costs associated with setting up their own infrastructure. 

By employing automation to evade blocks from Cloudflare, these criminals can use the tunnels for large-scale operations. A Cloudflare representative stated that the company immediately disables and takes down malicious tunnels as they are discovered or reported by third parties. Cloudflare has also implemented machine learning detections to better contain malicious activity and encourages security vendors to submit suspicious URLs for prompt action. 

In light of this increasing threat, it is crucial for organizations to remain vigilant and enhance their cybersecurity measures to defend against these sophisticated malware campaigns.