Russian hackers abuse Cloudflare tunneling service to drop GammaDrop malware

In a new campaign, a Russia-backed advanced persistent threat (APT) group is seen abusing Cloudflare tunnels to deliver its proprietary GammaLoad malware.The threat actor, tracked as BlueAlpha, was observed by the cybersecurity research firm Insikt Group to be exploiting this legitimate tunneling service for infections aimed at data exfiltration, credential theft, and persistent access to compromised networks.”BlueAlpha uses Cloudflare Tunnels to conceal its GammaDrop staging infrastructure, evading traditional network detection mechanisms,” researchers at Insikt said in a note. “The group delivers malware through HTML smuggling, leveraging sophisticated techniques to bypass email security systems.”BlueAlpha, running activities overlapping with publicly reported groups like Gameredon, Shuckworm, and Armageddon, is a cyber threat group believed to be operating under the directive of the Russian Federal Security Service (FSB). Cloudflare’s free tunneling service lets users create a tunnel using a randomly generated subdomain from trycloudflare.com. This directs any traffic coming to that subdomain through Cloudflare’s network to a server running locally.Observations indicate that BlueAlpha has used this feature to hide its infrastructure used for deploying the GammaDrop malware, the researchers noted.BlueAlpha was also seen slightly adjusting the popular malware delivery technique HTML smuggling, which involves delivering the malware by hiding malicious JavaScript within HTML attachments, to avoid detection.”Recent samples show changes in deobfuscation methods, such as using the onerror HTML event to execute malicious code,” the researchers added.GammaDrop acts as a dropper, writing GammaLoad to disk to ensure persistence.

Mitigations include email and network security

Jump to article: www.csoonline.com/article/3618758/russian-hackers-abuse-cloudflare-tunneling-service-to-drop-gammadrop-malware.html