The hacker group behind Astaroth trojan has changed its tactics and now is distributing a new variant of the malware using Cloudflare Workers serverless computing platform to avoid detection by security solutions.
“To generate the second stage of the attack, the JSON from the URL is parsed, converted from Base64 to Array buffer, written to browser’s blob storage, renamed to match to the name of the HTML file, a link is created and auto clicked to download it to user’s browser,” Afrahim discovered.
The second stage of infection involves a zip file which is created based on the data from the URL. That zipped file is used to redirect to URL pointing at the contents of a script created with the help of the Cloudflare Workers dashboard script editor. The most interesting part here is that the URL used to download the script can be changed with random values, providing “a large or unlimited number of the hostname that can execute particular code which traditional anti-bot or blocking tools will fail to catch.”
While Cloudflare Workers do not have the capability to host file, it can redirect traffic from its Workers to a static file hosting server without revealing its identity, pointed out the researcher.
The script file is saved into 'temp\ Lqncxmm:vbvvjjh.js' and executed with Windows Script Host (Wscript) process. Using a simple random number generator, the Astaroth’s operators randomize the URL that will download third stage payload. The payload will be downloaded using ten randomized and unique Cloudflare Worker node links, each of them "would have 900 million variations". On systems running a 32-bit version of Windows the attackers are using a private Google Storage repository with a static link instead of Cloudflare links.
“The most likely explanation for this is that they wanted to fool the Sandboxes and automated analysis tools. Most of the automated sandboxes still rely on 32-bit system mainly because it has better anti-sandbox detection techniques. Using this method, the threat actors give away a static IOC to the analyst to keep operation intact in real-world and the users that are being infected,” said the researcher.
Based on his findings Afrahim concluded that bad actors behind this campaign use Cloudflare Workers and network to:
1. Have a resilient, efficient and secure network to spread payloads.
2. Rely on trusted domain names and services to expand coverage.
3. Hide from sandboxes and interrupt automated analysis tools.
4. An innovative way to generate random payload URLs for each run.
5. Rebuild the operation with ease in case of compromise.