Cloudflare Tunnels abused to spread malware

Threat actors are increasingly abusing the Cloudflare Tunnel service to spread malware, according to researchers.

The attackers gain initial access via phishing emails containing a ZIP archive, which includes a URL shortcut file that leads the email recipient to a Windows shortcut file hosted on a TryCloudflare-proxied WebDAV server. The shortcut file executes batch scripts that retrieve and execute additional Python payloads, while simultaneously displaying a decoy PDF document hosted on the same WebDAV server.
“A key element of their strategy was using direct syscalls to bypass security monitoring tools, decrypting layers of shellcode, and deploying the Early Bird APC queue injection to stealthily execute code and evade detection effectively,” explained eSentire

“The use of Cloudflare tunnels provide the threat actors a way to use temporary infrastructure to scale their operations providing flexibility to build and take down instances in a timely manner,” Proofpoint said.

Attackers using fake answers on Stack Exchange to spread malware

Researchers have discovered an attack campaign that uses fake answer posts on Stack Exchange to spread malware. Stack Exchange is a popular online IT knowledge website that IT professionals often use to share and exchange knowledge for IT/development-related problems.

In this particular malware campaign, the attackers appear to be focused on targeting cryptocurrency users and developers with a backdoor Trojan that can be used to steal information, particularly that which is related to cryptocurrencies.

The attackers made posts on the website with information about how to use or perform certain actions using Raydium, a decentralized automated market maker protocol running on the Solana blockchain. Users targeted by these attackers are likely to be individuals who are interested in building trading bots and who are likely to have funds that could be targeted for theft.

The posts are often posted to answer specific questions and are carefully crafted to provide legitimate-looking information, but ultimately lead the reader to download and install fake Python packages hosted on PyPi. The packages were named as raydium, raydium-sdk, sol-instruct, sol-structs, and spy-types. While these packages are no longer available, they racked up over 2,000 downloads in total while they were still available.