Warning: TryCloudflare is being abused to distribute remote access malware
International security researchers are warning that hackers are increasingly abusing the Cloudflare Tunnel service in extremely serious malware campaigns that spread remote access trojans (RAT). .
This cybercriminal activity was first discovered in February this year, taking advantage of the free service TryCloudflare to spread many different RAT strains. We can mention names labeled as highly dangerous such as AsyncRAT, GuLoader, VenomRAT, Remcos RAT and Xworm.
The Cloudflare Tunnel service allows proxying traffic through an encrypted tunnel to access local services and servers over the internet without exposing your IP address. This will come with added security and convenience as there is no need to open any public gateways or establish VPN connections.
With TryCloudflare, users can create a temporary tunnel to a local server and test the service without needing a Cloudflare account. Each tunnel creates a temporary random subdomain on the trycloudflare.com domain, which is used to route traffic across Cloudflare's network to the local server. In the past, hackers have taken advantage of this feature to remotely access compromised systems while still being able to avoid detection.
A new report from cybersecurity firm Proofpoint says it observed malware activity targeting law, finance, manufacturing, and technology organizations with malicious .LNK files hosted on domains TryCloudflare is legit.
Threat actors are luring targets with tax-themed emails with URLs or attachments leading to the LNK payload. When launched, the payload will run BAT or CMD scripts that deploy PowerShell.
At the final stage of the attack, the Python installer is downloaded for the final payload. Proofpoint reports that the email distribution began on July 11, and distributed more than 1,500 malicious messages.
Hosting LNK files on Cloudflare offers several benefits, including making traffic appear legitimate thanks to the service's reputation. Furthermore, TryCloudflare Tunnel provides anonymity and the subdomains that serve LNK are only temporary, so blocking them doesn't really help much.
Finally, the service is free and reliable, so cybercriminals don't need to incur the costs of setting up their own infrastructure. If automation is used to avoid being blocked by Cloudflare, hackers can exploit those tunnels even for large-scale operations.
You should read it
- Test of audio and video processing
- Shivered by the snail 6,000 teeth that eat deep in the earth like monsters in the movie
- 13 useful tips for those who like to travel
- Connect SkyDrive storage folder in Windows 7
- Bose returned to the Apple Store
- The best desktop chip today
- Attribute in C #
- Instructions on how to upgrade from Windows XP to Windows 8
- Configuration of playing Harry Potter Wizard Unite on the phone
- How to change the number of Quick Actions displayed in Action Center Windows 10
- iPhone 12: Summary of known information about the upcoming Apple phone
- How to turn off 100% Youtube ads successfully
Maybe you are interested
Cloudflare Withstands Record-Breaking 3.8 Tbps DDoS Attack With Automated Protection
Is Google DNS or Cloudflare DNS faster?
What is Cloudflare WARP? Should I use it?
Increase web surfing speed with DNS of CloudFlare (1.1.1.1)
Cloudflare has a problem, a series of large websites are not accessible
4 major security risks that Cloudflare DNS can resolve