Cybercriminals often abuse free services to host malware or set up Command-control (C2) infrastructure because they know that connecting to such services will not cause suspicion within networks. Such is the case with TryCloudflare.com, which was recently victimized in a widespread campaign to deliver remote access trojans (RATs).
TryCloudflare is a tuning feature that allows users to proxy traffic through Cloudflare’s content delivery network. The latest campaigns, independently observed this year and reported this week by researchers from security firms Proofpoint and eSentire, involved phishing emails that resulted in the download of multiple malware families, including XWorm, VenomRAT, PureLogs Stealer, AsyncRAT, GuLoader and Remcos.
“Campaign message volumes range from hundreds to tens of thousands of messages affecting dozens to thousands of organizations around the world,” Proofpoint researchers wrote in their report. “In addition to English, researchers see the lure of French, Spanish and German. […] The topics of interest vary, but usually include business-related topics such as invoices, document requests, package delivery and taxes.”
Source link