Threat Actor Abuses Cloudflare Tunnels to Deliver RATs

    Wednesday, August 7, 2024 In: Threat Research Print

    Date: 08/07/2024

    Severity: Medium

    Summary 

    Proofpoint is monitoring a cluster of cybercriminal activities using Cloudflare Tunnels to deliver malware. The attacks exploit Cloudflare's TryCloudflare feature, allowing one-time tunnels without account creation. First detected in February 2024, these activities surged from May to July, frequently leading to Xworm, a remote access trojan (RAT). Campaigns usually involve URLs or attachments that download and execute files, culminating in Python-based malware installations, often masked by a benign PDF for legitimacy.

    Indicators of Compromise (IOC) List

    URL/Domains

    dcxwq1.duckdns.org

    ride-fatal-italic-information.trycloudflare.com

    spectrum-exactly-knitting-rural.trycloudflare.com

    todfg.duckdns.org

    welxwrm.duckdns.org

    xwor3july.duckdns.org

    IP Address

    157.20.182.172

    Hash

    0f1118b30b2da0b6e82f95d9bbf87101d8298a85287f4de58c9655eb8fecd3c6

0fccf3d1fb38fa337baf707056f97ef011def859901bb922a4d0a1f25745e64f

a40f194870b54aeb102089108ecf18b3af9b449066a240f0077ff4edbb556e81

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname like "todfg.duckdns.org" or url like "todfg.duckdns.org" or userdomainname like "ride-fatal-italic-information.trycloudflare.com" or url like "ride-fatal-italic-information.trycloudflare.com" or userdomainname like "xwor3july.duckdns.org" or url like "xwor3july.duckdns.org" or userdomainname like "dcxwq1.duckdns.org" or url like "dcxwq1.duckdns.org" or userdomainname like "welxwrm.duckdns.org" or url like "welxwrm.duckdns.org" or userdomainname like "spectrum-exactly-knitting-rural.trycloudflare.com" or url like "spectrum-exactly-knitting-rural.trycloudflare.com"

    IP Address

    dstipaddress IN ("157.20.182.172") or ipaddress IN ("157.20.182.172") or publicipaddress IN ("157.20.182.172") or srcipaddress IN ("157.20.182.172")

    Hash 

    sha256hash IN ("0fccf3d1fb38fa337baf707056f97ef011def859901bb922a4d0a1f25745e64f","0f1118b30b2da0b6e82f95d9bbf87101d8298a85287f4de58c9655eb8fecd3c6","a40f194870b54aeb102089108ecf18b3af9b449066a240f0077ff4edbb556e81")

    Reference:

    https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats 

     

     


    Tags

    RATTrojan

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.