Now Hiring: Are you a driven and motivated 1st Line IT Support Engineer?

 

Call Anytime 24/7

 
Mail Us For Support
 
Office Address

Hackers Leveraging Cloudflare Tunnels, DNS Fast-Flux to Hide GammaDrop Malware

  • Home
  • Malware Attacks
  • Hackers Leveraging Cloudflare Tunnels, DNS Fast-Flux to Hide GammaDrop Malware
threat detection

The notorious hacker group Gamaredon, also known as BlueAlpha, is using Cloudflare Tunnels to hide their infrastructure hosting the malware GammaDrop. This tactic is part of an ongoing spear-phishing campaign targeting Ukrainian entities, as reported by Recorded Future’s Insikt Group.

Key Details:

• Group: Gamaredon (BlueAlpha, Aqua Blizzard, Armageddon, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, Winterflounder)
• Affiliation: Russian FSB
• Target: Ukrainian entities
• Malware: GammaDrop

Campaign Overview:

• BlueAlpha has been active since 2014 and is associated with Russia’s Federal Security Service (FSB). Recently, they started using Cloudflare Tunnels, a technique popular among cybercriminals, to obscure their malware-staging servers.
• Insikt Group has observed that BlueAlpha also employs DNS fast-fluxing to complicate the tracking and disruption of its command-and-control (C2) infrastructure. This approach ensures continuous access to compromised systems despite countermeasures.

Attack Techniques and Tools:

• Malware Downloaders: PteroPSLoad, PteroX, PteroSand, PteroDash, PteroRisk, PteroPowder
• Visual Basic Script Payload Droppers: PteroCDrop
• Payload Delivery via rclone Utility: PteroClone
• USB Drive Weaponization: PteroLNK
• LNK File Weaponization for Persistence: PteroDig
• Partial SOCKS Proxy Functionality: PteroSocks
• Remote Shells: PteroPShell, ReVBShell
• File Exfiltration Tools: PteroPSDoor, PteroVDoor
• Screen Capture and Exfiltration: PteroScreen
• Credential and Cookie Exfiltration from Web Browsers: PteroSteal, PteroCookie
• Data Exfiltration from Signal and Telegram: PteroSig, PteroGram
• Web Version Data Exfiltration from Telegram and WhatsApp: PteroBleed
• System Information Exfiltration: PteroScout

Recent Attacks:

• Recorded Future has highlighted phishing campaigns where attackers send emails with HTML attachments. These attachments utilize HTML smuggling to drop a 7-Zip archive containing a malicious LNK file, which delivers GammaDrop through mshta.exe.
• GammaDrop, an HTA dropper, writes the GammaLoad loader to the disk, which then communicates with a C2 server hidden behind a Cloudflare Tunnel on the domain amsterdam-sheet-veteran-aka.trycloudflare[.]com.

Advanced Evasion Techniques: GammaLoad employs DNS-over-HTTPS (DoH) to resolve its C2 infrastructure, ensuring connection even if traditional DNS methods fail. The use of fast-flux DNS further complicates disruption efforts.

Implications: Recorded Future suggests that BlueAlpha will likely continue refining its evasion tactics by leveraging legitimate services like Cloudflare, posing significant detection challenges for traditional security systems.

Leave A Comment

Your email address will not be published. Required fields are marked *