Researchers are warning of an ongoing phishing campaign that leverages Cloudflare Tunnels in order to deliver the Xworm malware. The attack has so far targeted thousands of organizations in the past five months, but it does require “significant” victim interaction in order to be successful.
Attackers delivering malware have previously utilized the Cloudflare Tunnel feature, which is a way to "connect resources to Cloudflare without a publicly routable IP address." TryCloudflare, Cloudflare's free-tier service, allows attackers to create a one-time tunnel without creating an account, and gives them more flexibility in handling their infrastructure and avoiding defenders during attacks.
“The use of Cloudflare tunnels provide the threat actors a way to use temporary infrastructure to scale their operations providing flexibility to build and take down instances in a timely manner,” said Joe Wise and Selena Larson with Proofpoint’s threat research team in a Thursday analysis. “This makes it harder for defenders and traditional security measures such as relying on static blocklists. Temporary Cloudflare instances allow attackers a low-cost method to stage attacks with helper scripts, with limited exposure for detection and takedown efforts.”
The campaign was first seen in February 2024, and researchers said the activity peaked in May through July, with campaign message volumes ranging from hundreds to tens of thousands. Thousands of organizations globally have been targeted, with message lures using the English, French, Spanish and German languages.
The campaign has delivered a number of malware families, including AsyncRAT, VenomRAT, GuLoader and Remcos, but in recent months attackers have almost exclusively delivered Xworm, a RAT with functionalities that range from keylogging to delivering ransomware. Researchers have not yet attributed the campaign to a threat group.
“Threat actor abuse of TryCloudflare tunnels became popular in 2023 and appears to be increasing among cybercriminal threat actors."
The attack starts with messages with URLs or attachments that lead to .URL files. Researchers said that the themes of the lures used in campaign messages have involved business-related topics, including invoices, document requests, package deliveries and taxes. Once executed, the .URL file starts off the attack chain that involves LNK or VBS files, a BAT or CMD file and finally a Python installer package and series of Python scripts leading to the malware execution. The good news is that this attack involves “significant” user interaction in order to be successful: Victims must click on the malicious link, click on multiple files and unzip compressed scripts.
Still, the attack’s use of Cloudflare Tunnels is part of an overall increase in malware delivery via this vector, said researchers.
“Threat actor abuse of TryCloudflare tunnels became popular in 2023 and appears to be increasing among cybercriminal threat actors,” said researchers. “Each use of TryCloudflare Tunnels will generate a random subdomain on trycloudflare[.]com, for example ride-fatal-italic-information[.]trycloudflare[.]com. Traffic to the subdomains is proxied through Cloudflare to the operators’ local server.”
Another notable aspect of the attack is the threat actors’ use of Python scripts, and researchers said that threat actors have bundled the Python libraries and installer with the Python scripts so that the malware can run on hosts that don’t have Python installed.
“Organizations should restrict the use of Python if it is not required for individuals’ job functions,” said researchers. This is not the first-time researchers have observed software packages delivered alongside malware files. In recent months Proofpoint has observed campaigns delivering Java-based malware that bundle a JAR and the Java Runtime Environment (JRE) inside a ZIP to ensure the correct software is installed before executing the downloader or dropper.”