Researchers found Cloudflare’s latest feature, TryCloudflare, actively exploited in malware campaigns. While this feature facilitates one-time users using Cloudflare’s security for remote access tasks, hackers misuse it to deliver malware, particularly remote access trojans (RATs).
TryCloudflare was actively used to deliver malware.
According to a recent Post From Proofpoint, researchers have observed recent campaigns exploiting the TryCloudflare feature to deliver malware.
TryCloudflare is a recent Cloudflare feature that allows users to use Cloudflare services once without an account. Using this feature, users can connect a server to the Internet through Cloudflare’s Argo Tunnel without opening any ports. The service then creates a temporary URL, which proxies traffic to the user’s server through the Cloudflare network, thereby preventing exposure of the user’s IP.
Notably, the malicious exploit dates back to earlier this year, with researchers first observing it in February 2024. Gradually, exploitation increased from May to July.
The attack begins by persuading the affected user to open a malicious attachment or click on a URL for a URL shortcut. Once complete, a connection is established with an external server via WebDAV to download the .lnk or .vbs file. This file later downloads a Python installer package and various Python scripts to complete the malware installation on the target device.
In recent campaigns, researchers have observed attackers delivering the RAT ‘Xworm’ to target systems. However, previous campaigns have also targeted users with other malware, including AsyncRATVenomRAT RamkosAnd GuLoader. In some cases, the attack involved infecting devices with multiple malware simultaneously.
The researchers have presented a detailed technical analysis of the entire attack strategy in their post. For now, the exact identity of the threat actors behind Cloudflare exploit remains unknown. However, Proofpoint researchers believe that all malicious campaigns can be linked to a cluster of related activity.
Let us know your thoughts in the comments.