Researchers have uncovered a new malware campaign that uses the COVID-19 pandemic as a lure, and also abuses platform-as-a-service web infrastructure tools to apparently thwart attempts at blocking command-and-control communications.
SC Media contacted Cloudflare for comment and received the following response: “Cloudflare took immediate action to shut down the malicious domains as soon as we were made aware.”
SentinelLabs researcher Vitali Kremez told BleepingComputer that the attackers likely chose this technique because “it returns back the legit Cloudflare proxy IP, which acts as a reverse proxy passing the traffic to the C2. It makes blocking the IP traffic impossible given it is Cloudflare (unless the whole Cloudflare worker space is banned) infrastructure while hiding the actual C2.”
The malware is delivered via an RAR file — most likely distributed as an attachment via an email phishing campaign — that appears to contain information about the novel coronavirus in the form of Word document. But the file is actually an executable that, upon activation, extracts a decoy Word doc that serves as a distraction while the backdoor is implemented.
The decoy doc observed by MalwareHunterTeam purports to be from the Wessex Learning Trust, a British general secondary education conglomerate, and appears to contain details and instructions for parents and students.
“This is a good example of the power of using Platform-as-a-Service to build code. Unfortunately, it is a malicious example,” said Chris Morales, head of security analytics at Vectra, to SC Media. “CloudFlare was built to support code for remote access just like this. And yes, by running on a Platform as a Service, it makes it difficult to block without stopping access to the entire cloud platform as traffic is legitimate traffic from the site.”
Joseph Carson, chief security scientist and advisory CISO at Thycotic, told SC Media that’s especially important during times of crisis to “always be vigilant and suspicious of any attachments, even when they appear to be coming from legitimate sources.”
“The best way to reduce the risks of such threats is for companies to practice the principle of least privilege,” he added.