BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure

insikt-group-logo-updated-3-300x48.png

Summary

BlueAlpha is a state-sponsored cyber threat group operating under the directive of the Russian Federal Security Service (FSB) that overlaps with the publicly reported groups Gamaredon, Shuckworm, Hive0051, and UNC530. BlueAlpha has been active since at least 2014 and continues to target Ukrainian organizations through relentless spearphishing campaigns to distribute custom malware. Since at least October 2023 BlueAlpha has delivered the custom VBScript malware GammaLoad, enabling data exfiltration, credential theft, and persistent access to compromised networks.

BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure

BlueAlpha has recently evolved its malware delivery chain to now leverage Cloudflare Tunnels for staging GammaDrop malware, a tactic popularized by cybercriminal threat groups to deploy malware.

Key Findings:

  1. BlueAlpha uses Cloudflare Tunnels to conceal its GammaDrop staging infrastructure, evading traditional network detection mechanisms.
  2. The group delivers malware through HTML smuggling, leveraging sophisticated techniques to bypass email security systems.
  3. DNS fast-fluxing complicates efforts to track and disrupt command-and-control (C2) communications.

How BlueAlpha Exploits Cloudflare Tunnels

Cloudflare offers the tunneling service for free with the use of the TryCloudflare tool. The tool allows anyone to create a tunnel using a randomly generated subdomain of trycloudflare.com and have all requests to that subdomain proxied through the Cloudflare network to the web server running on that host. BlueAlpha leverages this to conceal staging infrastructure used to deploy GammaDrop.

HTML Smuggling

HTML smuggling enables malware delivery through embedded JavaScript in HTML attachments. BlueAlpha has refined this method with subtle modifications to avoid detection. Recent samples show changes in deobfuscation methods, such as using the onerror HTML event to execute malicious code.

GammaDrop and GammaLoad Malware

BlueAlphas malware suite is central to its campaigns:

  • GammaDrop: acts as a dropper, writing GammaLoad to disk and ensuring persistence
  • GammaLoad: a custom loader capable of beaconing to its C2 and executing additional malware

BlueAlpha uses obfuscation techniques, namely extensive amounts of junk code and random variable names to complicate analysis.

Mitigation Strategies

  1. Enhance Email Security: Deploy solutions to inspect and block HTML smuggling techniques. Flag attachments with suspicious HTML events like onerror.
  2. Restrict Execution of Malicious Files: Implement application control policies to block malicious use of mshta.exe and untrusted .lnk files.
  3. Monitor Network Traffic: Set up rules to flag requests to trycloudflare.com subdomains and unauthorized DNS-over-HTTPS (DoH) connections.
  4. Leverage Threat Intelligence: Use Recorded Futures Malware Intelligence to analyze suspicious files and stay informed about emerging threats.

Outlook

BlueAlphas continued use of legitimate services like Cloudflare demonstrates its commitment to refining evasion techniques. Organizations must stay vigilant and invest in advanced detection and response capabilities to counter these sophisticated threats.

To read the entire analysis, click here to download the report as a PDF.

Appendix A Indicators of Compromise

Domains:
else-accommodation-allowing-throws.trycloudflare[.]com
cod-identification-imported-carl.trycloudflare[.]com
amsterdam-sheet-veteran-aka.trycloudflare[.]com
benjamin-unnecessary-mothers-configured.trycloudflare[.]com
longitude-powerpoint-geek-upgrade.trycloudflare[.]com
attribute-homework-generator-lovers.trycloudflare[.]com
infected-gc-rhythm-yu.trycloudflare[.]com

IP Addresses:
178.130.42[.]94

Hashes:
3afc8955057eb0bae819ead1e7f534f6e5784bbd5b6aa3a08af72e187b157c5b
93aa6cd0787193b4ba5ba6367122dee846c5d18ad77919b261c15ff583b0ca17
b95eea2bee2113b7b5c7af2acf6c6cbde05829fab79ba86694603d4c1f33fdda



Appendix B Mitre ATT&CK Techniques

Tactic: TechniqueATT&CK Code
Initial Access: Spearphishing AttachmentT1566.001
Execution: Visual BasicT1059.005
Execution: JavaScriptT1059.007
Execution: Malicious FileT1204.002
Persistence: Registry Run Keys / Startup FolderT1547.001
Defense Evasion: HTML SmugglingT1027.006
Defense Evasion: Encrypted/Encoded FileT1027.013
Command and Control: Web ProtocolsT1071.001
Command and Control: Fast Flux DNST1568.001

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor of the Malware Binary Triage (IMBT) course starting this Black Friday and Cyber Monday!

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: This is an affiliate link – your enrollment helps support this platform at no extra cost to you.

Article Link: BlueAlpha Leverages Cloudflare Tunnels for GammaDrop Infrastructure