Cybercriminals regularly abuse free services to host malware or to set up command-and-control (C2) infrastructure because they know connections to such services won’t raise suspicion inside networks. Such is the case with TryCloudflare.com, which was recently abused in a widespread campaign to deliver remote access trojans (RATs).
TryCloudflare is a tunneling feature that enables users to proxy traffic through Cloudflare’s content delivery network. The recent campaigns, independently observed this year and reported this week by researchers from security firms Proofpoint and eSentire, involved phishing emails that resulted in the download of multiple malware families, including XWorm, VenomRAT, PureLogs Stealer, AsyncRAT, GuLoader and Remcos.
“Campaign message volumes range from hundreds to tens of thousands of messages impacting dozens to thousands of organizations globally,” researchers from Proofpoint wrote in their report. “In addition to English, researchers observed French, Spanish, and German language lures. […] Lure themes vary, but typically include business-relevant topics like invoices, document requests, package deliveries and taxes.”
How the TryCloudflare attack campaigns unfold
The phishing emails observed by Proofpoint and eSentire typically include a ZIP attachment that contains a .URL (Internet Shortcut) file. This file points to a LNK (Windows Shortcut) or VBS file hosted on a remote WebDAV server set up by the attackers and accessible through a subdomain on trycloudflare.com.
TryCloudflare is a free version of Cloudflare’s Argo Tunnel, which allows users to securely expose a local web application or other type of service to the internet through Cloudflare’s network, benefiting from its fast routing, content optimization, security checks, and other special access rules the user enables. Whereas Argo Tunnel supports multiple protocols, multiple tunnels, and advanced options, TryCloudflare only works with HTTP, allowing just one tunnel with a concurrent connection limit of 200. It also doesn’t require an account to set up.
The feature is aimed mainly at developers to share test versions of web apps from their computers without having to enable port forwarding in routers and firewalls, or having to set up domain names. Each TryCloudflare tunnel receives a randomly generated subdomain on trycloudflare.com that users can share to access their apps.
Attackers behind the reported campaigns set up a server using WebDAV, a file-sharing protocol that works over HTTP and can be accessed by Windows by default, similar to an SMB network share. They use this server to host payloads and set up TryCloudflare to proxy traffic to it via a unique trycloudflare.com URL.
If users click on the .URL file and then download and execute the LNK or VBS file served to them, an infection chain kicks off to execute BAT or CMD files, which then download a Python installer package and a series of Python scripts. In some cases, PowerShell scripts are also used in the attack chain. Meanwhile, a benign PDF file is displayed to the user to avoid raising suspicion.
The Python scripts are droppers for the final payload, which consists of one of the mentioned RATs or infostealers. Researchers note that they’ve seen an evolution in the complexity of these scripts, with later variants increasingly using obfuscation and other detection evasion techniques.
“Attackers’ use of Python scripts for malware delivery is notable,” the researchers said. “Packaging Python libraries and an executable installer alongside the Python scripts ensures the malware can be downloaded and run on hosts that did not previously have Python installed. Organizations should restrict the use of Python if it is not required for individuals’ job functions.”
How to detect and protect against TryCloudflare attacks
This is not the first time when attackers have used Cloudflare tunnels maliciously. Last year, researchers from GuidePoint Security reported investigating multiple incidents where attackers set up Cloudflare tunnels on infected machines to maintain remote access to those systems and networks without being detected.
Incidents such as these highlight that security teams should consider setting up network detections for outgoing connections to *.trycloudlare.com URLs and monitor DNS requests for *.argotunnel.com. The full-featured Cloudflare Tunnel will establish connections with Cloudflare IP addresses returned by those DNS requests over port 7844 using the QUIC protocol.
That said, Cloudflare Argo Tunnel is a powerful feature that has many legitimate uses for organizations, so the mere presence of such connections on a network does not necessarily indicate malicious behavior. Security teams will need to determine which machines do have a legitimate use for it and should be whitelisted to avoid false positive detections.
The Proofpoint and eSentire reports contain indicators of compromise for these recent campaigns such as file hashes and URLs that can also be used to build endpoint detections.