These scripts perform actions such as launching decoy PDFs downloading more malicious payloads, and modifying file attributes to avoid detection. The researchers noted that the attackers use direct syscalls to bypass security tools, decrypt layers of shellcode, and employ the Early Bird APC queue injection technique to stealthily execute code and evade detection.

This analysis revealed that the phishing lures are written in multiple languages including English, French, Spanish, and German, with email volumes ranging from hundreds to tens of thousands targeting organizations worldwide. The themes of these emails cover a variety of topics such as invoices, document requests, package deliveries, and taxes. While the campaign has been attributed to a single cluster of related activity, it has not been linked to a specific threat actor or group but is assessed to be financially motivated. The abuse of TryCloudflare for malicious purposes was first recorded last year in a cryptojacking and proxyjacking campaign dubbed LABRAT.

To mitigate such threats, enterprises are advised to restrict access to external file-sharing services to only known allow-listed servers, as the use of Cloudflare tunnels allows attackers to scale operations flexibly and evade traditional security measures like static blocklists. Researchers have called on Cloudflare to review its anti-abuse policies, noting that cybercriminals often exploit Cloudflare services to mask malicious actions and enhance their operational security using "living-off-trusted-services" (LoTS) tactics. This enables attackers to move their domains to Cloudflare to disguise the backend of their operations making detection and takedown efforts more challenging.

Impact

• Unauthorized Remote Access
• Sensitive Data Theft
• Security Bypass
• Code Execution

Indicators of Compromise

Domain Name

• dcxwq1.duckdns.org
• todfg.duckdns.org
• welxwrm.duckdns.org
• xwor3july.duckdns.org

IP

• 157.20.182.172

MD5

• 78394d33419a5fabccce61e5bfe12a0b
• 2477aa215ba606fc9355364d15bd0056
• 2a6aaf30c4f4fb95035d448aea4b452e

SHA-256

• 0f1118b30b2da0b6e82f95d9bbf87101d8298a85287f4de58c9655eb8fecd3c6
• a40f194870b54aeb102089108ecf18b3af9b449066a240f0077ff4edbb556e81
• 0fccf3d1fb38fa337baf707056f97ef011def859901bb922a4d0a1f25745e64f

SHA-1

• c3be51192fddfd41d688eef66842231d1d00142a
• 9ddec9132e3785ba13e16efe7e6e9e56183dcca3
• c4705f2f325c3c0665ce479b79621ba03d9d4382

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Limit access to WebDAV, SMB, and other external file-sharing services to only known and trusted servers. Implement strict allow-lists to prevent unauthorized connections.
• Strengthen email security measures to detect and block phishing attempts. This includes using advanced email filtering solutions that can identify and quarantine suspicious emails containing malicious attachments or links.
• Deploy EDR solutions to monitor, detect, and respond to malicious activities on endpoints. Ensure that these solutions can detect techniques such as direct syscalls and Early Bird APC queue injection.
• Continuously monitor network traffic for unusual or suspicious activity, particularly traffic that uses Cloudflare tunnels. Implement network intrusion detection systems (NIDS) to identify and alert on anomalous patterns.
• Conduct regular training sessions to educate employees about phishing threats and how to recognize and report suspicious emails. Emphasize the importance of not opening unknown attachments or clicking on unfamiliar links.
• Regularly review and update Cloudflare security policies and configurations to ensure they align with best practices. Consider setting up stricter rules and monitoring for the use of TryCloudflare tunnels.
• Develop and maintain a robust incident response plan to quickly address and mitigate any security breaches. Ensure that the plan includes steps for isolating affected systems, removing malware, and restoring services securely.
• Communicate with Cloudflare regarding the abuse of their services and request assistance in identifying and mitigating malicious use of TryCloudflare tunnels. Advocate for stronger anti-abuse measures and monitoring by Cloudflare.