Researchers found Cloudflare’s latest feature, TryCloudflare, actively exploited in malware campaigns. While the feature facilitates one-time customers using Cloudflare’s security for remote access tasks, hackers abuse it to deliver malware, particularly remote access trojans (RATs).
TryCloudflare Actively Exploited To Deliver Malware
According to a recent post from Proofpoint, researchers have observed the TryCloudflare feature being exploited to deliver malware in recent campaigns.
TryCloudflare is a recent facility from Cloudflare that allows users a one-time use of Cloudflare services even without an account. Using this feature, users can connect a server to the Internet via Cloudflare’s Argo Tunnel without opening any ports. The service then creates a temporary URL, proxying the traffic to the user’s server via Cloudflare network, thus preventing user’s IP exposure.
Specifically, the malicious exploitation dates back to earlier this year, with the researchers first observing it in February 2024. Gradually, the exploitation increased from May through July.
The attack begins by luring the victim user into opening a malicious attachment to a URL shortcut or clicking on a URL. Once done, a connection is established with an external server via WebDAV to download a .lnk or a .vbs file. This file subsequently downloads a Python installer package and various Python scripts to complete malware installation on the target device.
In most recent campaigns, the researchers noticed the attackers delivering a RAT ‘Xworm’ to the target systems. However, the previous campaigns also targeted users with other malware, including AsyncRAT, VenomRAT, Remcos, and GuLoader. In some cases, the attack involved infecting the devices with multiple malware simultaneously.
The researchers have presented a detailed technical analysis of the entire attack strategy in their post. For now, the exact identity of the threat actors behind Cloudflare exploitation remains unknown. Nonetheless, Proofpoint researchers believe that all the malicious campaigns may link back to a single cluster of related activity.
Let us know your thoughts in the comments.
