In a new campaign, a Russia-backed advanced persistent threat (APT) group is seen abusing Cloudflare tunnels to deliver its proprietary GammaLoad malware.The threat actor, tracked as BlueAlpha, was observed by the cybersecurity research firm Insikt Group to be exploiting this legitimate tunneling service for infections aimed at data exfiltration, credential theft, and persistent access to compromised networks.”BlueAlpha uses Cloudflare Tunnels to conceal its GammaDrop staging infrastructure, evading traditional network detection mechanisms,” researchers at Insikt said in a note. “The group delivers malware through HTML smuggling, leveraging sophisticated techniques to bypass email security systems.”BlueAlpha, running activities overlapping with publicly reported groups like Gameredon, Shuckworm, and Armageddon, is a cyber threat group believed to be operating under the directive of the Russian Federal Security Service (FSB). Cloudflare’s free tunneling service lets users create a tunnel using a randomly generated subdomain from trycloudflare.com. This directs any traffic coming to that subdomain through Cloudflare’s network to a server running locally.Observations indicate that BlueAlpha has used this feature to hide its infrastructure used for deploying the GammaDrop malware, the researchers noted.BlueAlpha was also seen slightly adjusting the popular malware delivery technique HTML smuggling, which involves delivering the malware by hiding malicious JavaScript within HTML attachments, to avoid detection.”Recent samples show changes in deobfuscation methods, such as using the onerror HTML event to execute malicious code,” the researchers added.GammaDrop acts as a dropper, writing GammaLoad to disk to ensure persistence.
Mitigations include email and network security
Researchers recommended deploying solutions to inspect and block HTML smuggling techniques for flagging attachments with suspicious HTML events like onerror.Control policies that can block the execution of malicious files and unauthorized DNS-over-HTTPS (DoH) connections could also help with these threats.”BlueAlpha’s continued use of legitimate services like Cloudflare demonstrates its commitment to refining evasion techniques,” the researchers added. “Organizations must stay vigilant and invest in advanced detection and response capabilities to counter these sophisticated threats.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3618758/russian-hackers-abuse-cloudflare-tunneling-service-to-drop-gammadrop-malware.html