An advanced assault campaign utilizing Cloudflare’s Workers service to disseminate harmful applications camouflaged as authentic software.

On December 17, 2024, the Ukrainian Computer Emergency Response Team (CERT-UA) disclosed that they had detected various websites mimicking the official “Army+” app page, all hosted using Cloudflare Workers.

These deceptive websites lure unsuspecting users into downloading an executable file labeled “ArmyPlusInstaller-v.0.10.23722.exe,” although the name of the file may differ.

Upon investigation, it was found that this file was actually an NSIS (Nullsoft Scriptable Install System) installer containing a counterfeit .NET file, Python interpreter files, Tor program files, and a PowerShell script named “init.ps1”.

When activated, the installer initiates a counterfeit file in conjunction with the PowerShell script, carrying out various malicious activities:

  1. Deploys an OpenSSH server on the target’s machine.
  2. Creates an RSA key pair.
  3. Appends a public key to the “authorized_keys” file for verification.
  4. Dispatches the private key to the hackers’ server (a Tor address) using curl.
  5. Establishes a concealed SSH service via Tor.

This intricate configuration establishes a hidden access point, enabling the attackers to gain remote entry to the compromised system.

CERT-UA has associated this campaign with the UAC-0125 threat actor, who they believe is linked to the infamous UAC-0002 cluster, also recognized as APT44 or Sandworm.

This Russian state-sanctioned group has a track record of targeting critical infrastructure and governmental bodies in Ukraine.

The exploitation of Cloudflare Workers for malicious intentions is part of an escalating tendency. Fortra, a cybersecurity company, documented a surge of 104% in phishing assaults leveraging Cloudflare Workers in 2024 compared to the preceding year.

Threat actors are taking advantage of the platform’s solid reputation and dependable branding to fabricate convincing phishing sites and evade security measures. This current campaign signifies a development in the strategies employed by UAC-0125.

Earlier in 2024, the group mainly relied on compromised Microsoft Office files as the primary attack vector, containing trojanized elements that would carry out malicious PowerShell directives.

The discovery of this campaign emphasizes the necessity for elevated caution when downloading applications, even from apparently trustworthy sources.

Enterprises and individuals are urged to enforce stringent security protocols, such as multi-factor authentication, routine system updates, and staff training on recognizing phishing endeavors.

As threat actors persist in innovating and capitalizing on reputable platforms, the cybersecurity community must sustain vigilance and flexibility in their defense mechanisms to safeguard against these evolving risks.

The article Threat Actors Abusing Cloudflare Workers Service To Deliver Weaponized Application was originally published on Cyber Security News.