Organizations in the manufacturing, technology, finance, and law sectors have been subjected to attacks exploiting Cloudflare's free TryCloudflare Tunnel feature to spread several remote access trojans, including XWorm, VenomRAT, Remcos RAT, AsyncRAT, and GuLoader, since February, Bleeping Computer reports.
Intrusions commenced with the delivery of tax-themed phishing emails with attachments or links redirecting to an LNK payload, which executes either BAT or CMD scripts that result in the PowerShell and Python installer deployment before installing the RATs, an analysis from Proofpoint revealed. Threat actors' exploitation of Cloudflare has enabled legitimacy and anonymity that hinder malicious threat detection, reported researchers. Such findings have prompted Cloudflare to emphasize its immediate action in taking down malicious tunnels.
"In the past few years, Cloudflare has introduced machine learning detections on our tunnel product in order to better contain malicious activity that may occur," said Cloudflare, which has also urged continuous submissions of suspicious URLs from security vendors.