The notorious hacker group Gamaredon, also known as BlueAlpha, is using Cloudflare Tunnels to hide their infrastructure hosting the malware GammaDrop. This tactic is part of an ongoing spear-phishing campaign targeting Ukrainian entities, as reported by Recorded Future’s Insikt Group.
Key Details:
• Group: Gamaredon (BlueAlpha, Aqua Blizzard, Armageddon, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, Winterflounder)
• Affiliation: Russian FSB
• Target: Ukrainian entities
• Malware: GammaDrop
Campaign Overview:
• BlueAlpha has been active since 2014 and is associated with Russia’s Federal Security Service (FSB). Recently, they started using Cloudflare Tunnels, a technique popular among cybercriminals, to obscure their malware-staging servers.
• Insikt Group has observed that BlueAlpha also employs DNS fast-fluxing to complicate the tracking and disruption of its command-and-control (C2) infrastructure. This approach ensures continuous access to compromised systems despite countermeasures.
Attack Techniques and Tools:
• Malware Downloaders: PteroPSLoad, PteroX, PteroSand, PteroDash, PteroRisk, PteroPowder
• Visual Basic Script Payload Droppers: PteroCDrop
• Payload Delivery via rclone Utility: PteroClone
• USB Drive Weaponization: PteroLNK
• LNK File Weaponization for Persistence: PteroDig
• Partial SOCKS Proxy Functionality: PteroSocks
• Remote Shells: PteroPShell, ReVBShell
• File Exfiltration Tools: PteroPSDoor, PteroVDoor
• Screen Capture and Exfiltration: PteroScreen
• Credential and Cookie Exfiltration from Web Browsers: PteroSteal, PteroCookie
• Data Exfiltration from Signal and Telegram: PteroSig, PteroGram
• Web Version Data Exfiltration from Telegram and WhatsApp: PteroBleed
• System Information Exfiltration: PteroScout
Recent Attacks:
• Recorded Future has highlighted phishing campaigns where attackers send emails with HTML attachments. These attachments utilize HTML smuggling to drop a 7-Zip archive containing a malicious LNK file, which delivers GammaDrop through mshta.exe.
• GammaDrop, an HTA dropper, writes the GammaLoad loader to the disk, which then communicates with a C2 server hidden behind a Cloudflare Tunnel on the domain amsterdam-sheet-veteran-aka.trycloudflare[.]com.
Advanced Evasion Techniques: GammaLoad employs DNS-over-HTTPS (DoH) to resolve its C2 infrastructure, ensuring connection even if traditional DNS methods fail. The use of fast-flux DNS further complicates disruption efforts.
Implications: Recorded Future suggests that BlueAlpha will likely continue refining its evasion tactics by leveraging legitimate services like Cloudflare, posing significant detection challenges for traditional security systems.