{"id":1119,"date":"2024-12-06T12:02:30","date_gmt":"2024-12-06T12:02:30","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1119"},"modified":"2024-12-06T12:02:30","modified_gmt":"2024-12-06T12:02:30","slug":"russian-hackers-abuse-cloudflare-tunneling-service-to-drop-gammadrop-malware","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1119","title":{"rendered":"Russian hackers abuse Cloudflare tunneling service to drop GammaDrop malware"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>In a new campaign, a Russia-backed advanced persistent threat (<a href=\"https:\/\/www.csoonline.com\/article\/3483919\/apt-groups-increasingly-attacking-cloud-services-to-gain-command-and-control.html\">APT<\/a>) group is seen abusing Cloudflare tunnels to deliver its proprietary GammaLoad malware.<\/p>\n<p>The threat actor, tracked as BlueAlpha, was observed by the cybersecurity research firm Insikt Group to be exploiting this legitimate tunneling service for infections aimed at data exfiltration, credential theft, and persistent access to compromised networks.<\/p>\n<p>\u201cBlueAlpha uses Cloudflare Tunnels to conceal its GammaDrop staging infrastructure, evading traditional network detection mechanisms,\u201d researchers at Insikt said in a note. \u201cThe group delivers malware through HTML smuggling, leveraging sophisticated techniques to bypass email security systems.\u201d<\/p>\n<p>BlueAlpha, running activities overlapping with publicly reported groups like Gameredon, Shuckworm, and Armageddon, is a cyber threat group believed to be operating under the directive of the Russian Federal Security Service (FSB).<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Using Cloudflare tunnels for malware delivery<\/h2>\n<p>Cloudflare\u2019s free tunneling service lets users create a tunnel using a randomly generated subdomain from trycloudflare.com. This directs any traffic coming to that subdomain through Cloudflare\u2019s network to a server running locally.<\/p>\n<p>Observations indicate that BlueAlpha has used this feature to hide its infrastructure used for deploying the GammaDrop malware, the researchers noted.<\/p>\n<p>BlueAlpha was also seen slightly adjusting the popular malware delivery technique HTML smuggling, which involves delivering the malware by hiding malicious JavaScript within HTML attachments, to avoid detection.<\/p>\n<p>\u201cRecent samples show changes in deobfuscation methods, such as using the onerror HTML event to execute malicious code,\u201d the researchers added.<\/p>\n<p>GammaDrop acts as a dropper, writing GammaLoad to disk to ensure persistence.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Mitigations include email and network security<\/h2>\n<p>Researchers recommended deploying solutions to inspect and block HTML smuggling techniques for flagging attachments with suspicious HTML events like onerror.<\/p>\n<p>Control policies that can block the execution of malicious files and unauthorized DNS-over-HTTPS (DoH) connections could also help with these threats.<\/p>\n<p>\u201cBlueAlpha\u2019s continued use of legitimate services like Cloudflare demonstrates its commitment to refining evasion techniques,\u201d the researchers added. \u201cOrganizations must stay vigilant and invest in advanced detection and response capabilities to counter these sophisticated threats.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>In a new campaign, a Russia-backed advanced persistent threat (APT) group is seen abusing Cloudflare tunnels to deliver its proprietary GammaLoad malware. The threat actor, tracked as BlueAlpha, was observed by the cybersecurity research firm Insikt Group to be exploiting this legitimate tunneling service for infections aimed at data exfiltration, credential theft, and persistent access [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":1120,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1119","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1119"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1119"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1119\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1120"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1119"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1119"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}