Russian Hackers Deploy Stealth Tactics: Cloudflare Tunnels Used to Mask State-Backed Malware Attack

Russian Hackers Deploy Stealth Tactics: Cloudflare Tunnels Used to Mask State-Backed Malware Attack

Gamaredon Group Employs Cloudflare Tunnels in Latest Ukrainian Cyber Attacks

The Russian FSB-linked threat actor Gamaredon (also known as BlueAlpha) has been discovered using Cloudflare Tunnels to mask its malware infrastructure in recent cyber attacks targeting Ukrainian entities. This development was revealed in early 2024 through research by Recorded Future’s Insikt Group.

Key Findings:
– The group is utilizing sophisticated spear-phishing campaigns to deliver GammaDrop malware
– Implementation of Cloudflare Tunnels helps conceal staging infrastructure
– DNS fast-fluxing techniques are being employed to complicate tracking and maintain system access

Attack Methodology:
1. Phishing emails containing HTML attachments are sent to targets
2. HTML smuggling technique delivers embedded JavaScript code
3. A 7-Zip archive containing malicious LNK files is deployed
4. GammaDrop HTA dropper installs GammaLoad loader
5. Communication with C2 servers is established through DNS-over-HTTPS

Primary Malware Capabilities:
– Data theft from browsers, email clients, and messaging apps (Signal, Telegram)
– System information collection
– Screenshot capture
– Credential harvesting
– USB drive exploitation
– Remote shell access

The group’s arsenal includes various specialized tools (Ptero series) designed for specific functions, from payload delivery to data exfiltration. While Gamaredon’s tools aren’t particularly sophisticated, they compensate through frequent updates and changing obfuscation techniques.

Security experts warn that the group will likely continue evolving its evasion techniques by leveraging legitimate services, presenting ongoing challenges for organizations with limited threat detection capabilities.

Share This Article