Report: Cybercriminals use Cloudflare tunnels to spread malware

Previously unknown cyber criminals are using "TryCloudflare" to spread malware unchallenged. This is reported by security experts.

Cybercriminals use Cloudflare tunnels to spread malware.

(Image: PORTRAIT IMAGES ASIA BY NONWARIT/Shutterstock.com)

Aug 3, 2024 at 11:26 pm CEST

2 min. read

Security

By

Marie-Claire Koch

Previously unknown cybercriminals are using Cloudflare's free "TryCloudflare" service worldwide to spread malware such as remote access Trojans (RATs) unchallenged. This is reported by security experts. The first observations were made in February 2024 – and activity has increased significantly since June. Cloudflare's tunnel function makes it possible to encrypt and forward data traffic between Cloudflare and a web server, which the attackers are said to have exploited.

diagram that shows an increase in various malware using TryCloudflare tunnels. — Malware that uses TryCloudflare tunnels. These include AsyncRAT, RemcosRAT, VenomRAT and XWorm, among others

(Image: Proofpoint)

According to security experts from Proofpoint and Esentinel, the criminals use the Cloudflare tunnels to host malicious content and access their victims' systems from there. "TryCloudflare" – a service primarily intended for testing and demonstration purposes – makes it possible to create such tunnels without registering an account. Since the traffic is routed through Cloudflare, it is difficult to detect and block malicious activity –, making remote access to data and resources easy. In addition, temporary Cloudflare instances are a cost-effective method of launching attacks with helper scripts. Attackers would also escape static block lists in this way.

Access with the help of phishing

To spread the malware, phishing lures are written in English, French, Spanish and German, as Proofpoint writes. The criminals send hundreds to tens of thousands of messages to companies that look like invoices, document requests and parcel deliveries.

Phishing e-mail about invoices

(Image: Proofpoint)

The initial attack vector is a phishing email with a ZIP archive containing an LNK shortcut file. This is hosted on a TryCloudflare WebDAV server. After clicking on the LNK file, a batch script is executed that retrieves and executes Python scripts.

Attack chain for spreading malware — The attacks usually start with emails containing URLs or attachments. According to the security researchers, clicking on these establishes connections to external file shares in order to download LNK shortcut files, for example.

(Image: Proofpoint)

PDF documents are also created on the same WebDAV server for disguise purposes. To bypass security monitoring tools, direct system calls are made, among other things.

According to the researchers, the misuse of Cloudflare tunnels could lead to data loss, interruptions in operations and financial damage. To protect themselves from such attacks, companies and users should keep an eye on data traffic in particular to detect conspicuous activity at an early stage.