Threat Actor Abuses Cloudflare Tunnels to Deliver RATs
Essential information
- Published
- 01/08/2024 10:54
- Modified
- 01/08/2024 11:02
- Tags
- 2024-08-01 asyncrat cloudflare guloader rats remcos venomrat webdav xworm
- Related entities
- 13 observables, 19 techniques (mitre), 5 malware
Description
Proofpoint is tracking a cluster of cybercriminal threat activity leveraging Cloudflare Tunnels to deliver malware, particularly remote access trojans (RATs) like Xworm, AsyncRAT, VenomRAT, GuLoader, and Remcos. The campaigns employ various techniques, such as using URL files to establish connections and download malicious components like LNK, VBS, BAT, CMD, and Python scripts leading to malware installation. While the tactics remain consistent, the threat actor modifies parts of the attack chain to enhance sophistication and evade defenses. The use of Cloudflare tunnels provides a flexible and low-cost method for staging attacks, making detection and takedown efforts more challenging.