New research has disclosed an alarming increase in the abuse of TryCloudflare Tunnels for financially-motivated malware delivery.
Initial observations of the attacks in February 2024 by cybersecurity firm Proofpoint were followed by an increase in cases, signifying an emerging trend.
The primary payload observed in these campaigns is XWorm, a notorious remote access trojan (RAT), but AsyncRAT, VenomRAT, GuLoader and Remcos have also been observed.
TryCloudflare Tunnels hijacked
Threat actors are leveraging temporary Cloudflare instances to execute attacks using helper scripts, which Proofpoint says is complicating traditional security measures by making it challenging to both detect and prevent the threats.
Proofpoint tracking revealed cybercriminals are exploiting the TryCloudflare feature to establish one-time tunnels, acting similarly to VPNs or SSH protocols. Typically, attacks involve messages containing URLs or attachments leading to an internet shortcut file.
Unknowing victims clicking on the link will connect to an external file share and download an LNK or VBS file, which executes a BAT or CMD file. The malicious files ultimately download a Python installer package and scripts that install the malware.
Recently, more than 1,500 messages were seen to have targeted a range of sectors, including finance, manufacturing and technology.
Although the attacks have not been attributed to a specific threat actor, research continues to be underway.
The company also offered some guidance as to how businesses can prevent these types of attacks. By restricting Python usage where unnecessary and safeguarding against external file-sharing services, Proofpoint says that organizations stand a much better chance of avoiding the malware.
