Phone : +91 95 8290 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Vulnerabilities & Exploits » Hackers Leveraging Cloudflare Tunnels, DNS Fast-Flux to Hide GammaDrop Malware

Hackers Leveraging Cloudflare Tunnels, DNS Fast-Flux to Hide GammaDrop Malware

Hackers Leveraging Cloudflare Tunnels, DNS Fast-Flux to Hide GammaDrop Malware

https://firewall.firm.in/wp-content/uploads/2024/12/cyberattack.png

Dec 06, 2024The Hacker NewsMalware / Threat Intelligence

The threat actor known as Gamaredon has been observed leveraging Cloudflare Tunnels as a tactic to conceal its staging infrastructure hosting a malware called GammaDrop.

The activity is part of an ongoing spear-phishing campaign targeting Ukrainian entities since at least early 2024 that’s designed to drop the Visual Basic Script malware, Recorded Future’s Insikt Group said in a new analysis.

The cybersecurity company is tracking the threat actor under the name BlueAlpha, which is also known as Aqua Blizzard, Armageddon, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder. The group, believed to be active since 2014, is affiliated with Russia’s Federal Security Service (FSB).

“BlueAlpha has recently started using Cloudflare Tunnels to conceal staging infrastructure used by GammaDrop, an increasingly popular technique used by cybercriminal threat groups to deploy malware,” Insikt Group noted.

Cybersecurity

“BlueAlpha continues to use domain name system (DNS) fast-fluxing of GammaLoad command-and-control (C2) infrastructure to complicate tracking and disruption of C2 communications to preserve access to compromised systems.”

The adversary’s use of Cloudflare Tunnel was previously documented by Slovak cybersecurity company ESET in September 2024, as part of attacks targeting Ukraine and various NATO countries, namely Bulgaria, Latvia, Lithuania, and Poland.

It also characterized the threat actor’s tradecraft as reckless and not particularly focused on stealth, even though they take pains to “avoid being blocked by security products and try very hard to maintain access to compromised systems.”

“Gamaredon attempts to preserve its access by deploying multiple simple downloaders or backdoors simultaneously,” ESET added. “The lack of sophistication of Gamaredon tools is compensated by frequent updates and use of regularly changing obfuscation.”

The tools are chiefly engineered to steal valuable data from web applications running inside internet browsers, email clients, and instant messaging applications such as Signal and Telegram, as well as download additional payloads and propagate the malware via connected USB drives.

  • PteroPSLoad, PteroX, PteroSand, PteroDash, PteroRisk, and PteroPowder – Download payloads
  • PteroCDrop – Drop Visual Basic Script payloads
  • PteroClone – Deliver payloads using the rclone utility
  • PteroLNK – Weaponize connected USB drives
  • PteroDig – Weaponize LNK files in the Desktop folder for persistence
  • PteroSocks – Provide partial SOCKS proxy functionalit
  • PteroPShell, ReVBShell – Function as a remote shell
  • PteroPSDoor, PteroVDoor – Exfiltrate specific files from the file system
  • PteroScreen – Capture and exfiltrate screenshots
  • PteroSteal – Exfiltrate credentials stored by web browsers
  • PteroCookie – Exfiltrate cookies stored by web browsers
  • PteroSig – Exfiltrate data stored by the Signal application
  • PteroGram – Exfiltrate data stored by the Telegram application
  • PteroBleed – Exfiltrate data stored by web versions of Telegram and WhatsApp from Google Chrome, Microsoft Edge, and Opera
  • PteroScout – Exfiltrate system information

The latest set of attacks highlighted by Recorded Future entails sending phishing emails bearing HTML attachments, which leverage a technique called HTML smuggling to activate the infection process via embedded JavaScript code.

Cybersecurity

The HTML attachments, when opened, drop a 7-Zip archive (“56-27-11875.rar”) that includes a malicious LNK file, which makes use of mshta.exe to deliver GammaDrop, a HTA dropper responsible for writing to disk a custom loader named GammaLoad, which subsequently establishes contact with a C2 server to fetch additional malware.

The GammaDrop artifact is retrieved from a staging server that sits behind a Cloudflare Tunnel hosted on the domain amsterdam-sheet-veteran-aka.trycloudflare[.]com.

For its part, GammaLoad makes use of DNS-over-HTTPS (DoH) providers such as Google and Cloudflare to resolve C2 infrastructure when traditional DNS fails. It also employs a fast-flux DNS technique to fetch the C2 address if its first attempt to communicate with the server fails.

“BlueAlpha is likely to continue refining evasion techniques by leveraging widely used, legitimate services like Cloudflare, complicating detection for traditional security systems,” Recorded Future said.

“Continued enhancements to HTML smuggling and DNS-based persistence will likely pose evolving challenges, especially for organizations with limited threat detection capabilities.”

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.


Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

 

 

 

 

 

 

 

 

 

 

 

 

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket