Analysis Summary

Cloudflare Tunnels have been used by the threat actor Gamaredon to hide its staging infrastructure, which is home to the malware GammaDrop. According to a new investigation, the activity is part of a spear-phishing campaign that has been targeting Ukrainian companies since at least early 2024 to release the Visual Basic Script malware.

Under the alias BlueAlpha—also known as Aqua Blizzard, Armageddon, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder—the researchers are monitoring the threat actor. The group is associated with Russia's Federal Security Service (FSB) and is thought to have been operating since 2014. GammaDrop is an increasingly common method used by cybercriminal threat groups to distribute malware, and BlueAlpha has just begun leveraging Cloudflare Tunnels to hide the staging infrastructure utilized by GammaDrop.

The domain name system (DNS) fast-fluxing of GammaLoad command-and-control (C2) infrastructure is still being used by BlueAlpha to make tracking more difficult and to interrupt C2 connections in order to maintain access to compromised computers. In September 2024, the researchers first reported on the adversary's use of Cloudflare Tunnel in cyberattacks on Ukraine and other NATO nations, including Bulgaria, Latvia, Lithuania, and Poland.

Although the threat actors go to great lengths to avoid being blocked by security solutions and make every effort to keep access to compromised systems, it also described their tradecraft as careless and not especially focused on stealth. Gamaredon uses several straightforward downloaders or backdoors at once to maintain its access. Gamaredon tools' quick upgrades and use of constantly shifting obfuscation make up for their lack of sophistication. In addition to downloading additional payloads and spreading the malware via attached USB devices, the tools are primarily designed to steal vital data from web programs that operate inside internet browsers, email clients, and instant messaging apps like Signal and Telegram.

Sending phishing emails with HTML attachments, which use a method known as HTML smuggling to activate the infection process via embedded JavaScript code, is the most recent attack type noted by researchers. When the HTML attachments are opened, a 7-Zip archive ("56-27-11875.rar") containing a malicious LNK file is dropped. GammaDrop, an HTA dropper, uses mshta.exe to deliver GammaDrop, which writes a custom loader called GammaLoad to disk. GammaLoad then connects to a C2 server to retrieve more malware.

A staging server located behind a Cloudflare Tunnel and hosted on the domain amsterdam-sheet-veteran-aka.trycloudflare[.]com is where the GammaDrop artifact is obtained. When conventional DNS fails, GammaLoad uses DNS-over-HTTPS (DoH) providers like Google and Cloudflare to fix C2 infrastructure. If its initial attempt to contact the server is unsuccessful, it additionally uses a fast-flux DNS approach to retrieve the C2 address.

By utilizing popular, trustworthy services like Cloudflare, BlueAlpha is probably going to keep improving evasion tactics and making it more difficult for conventional security systems to identify them. Future developments in DNS-based persistence and HTML smuggling will probably present new difficulties, particularly for enterprises with weak threat detection capabilities.

Impact

• Identity Theft
• Unauthorized Access
• Security Bypass
• Sensitive Data Theft

Indicators of Compromise

IP

• 178.130.42.94

MD5

• e47c93897037cf9f034cb5cc1a6d538c
• badea5b4fc2762c8c5ecd27a025c3f22

SHA-256

• 3afc8955057eb0bae819ead1e7f534f6e5784bbd5b6aa3a08af72e187b157c5b
• b95eea2bee2113b7b5c7af2acf6c6cbde05829fab79ba86694603d4c1f33fdda

SHA1

• 57e66061dc45b7531ff3c89b138be27d52f5b6b8
• 6438b3db1315bcfb829cb366ec9a659e067d3c84

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software on time and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network.
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure that backup and recovery procedures are in place.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.