Malware, Threat Intelligence

Various RATs deployed via TryCloudflare feature exploitation

Exterior view of Cloudflare headquarters in San Francisco.

Organizations in the manufacturing, technology, finance, and law sectors have been subjected to attacks exploiting Cloudflare's free TryCloudflare Tunnel feature to spread several remote access trojans, including XWorm, VenomRAT, Remcos RAT, AsyncRAT, and GuLoader, since February, BleepingComputer reports.

Intrusions commenced with the delivery of tax-themed phishing emails with attachments or links redirecting to an LNK payload, which executes either BAT or CMD scripts that result in the PowerShell and Python installer deployment before installing the RATs, an analysis from Proofpoint revealed. Threat actors' exploitation of Cloudflare has enabled legitimacy and anonymity that hinder malicious threat detection, reported researchers. Such findings have prompted Cloudflare to emphasize its immediate action in taking down malicious tunnels. "In the past few years, Cloudflare has introduced machine learning detections on our tunnel product in order to better contain malicious activity that may occur," said Cloudflare, which has also urged continuous submissions of suspicious URLs from security vendors.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds