Russia's Cloudflare Tunnels Are Home to the 'BlueAlpha' APT

To eventually infect victims with its own GammaDrop malware, BlueAlpha, a Russian state-sponsored advanced persistent threat (APT) outfit, has recently modified its malware distribution chain to exploit Cloudflare Tunnels. As the name implies, Cloudflare Tunnels is a secure tunneling program.

Russia's Cloudflare Tunnels Are Home to the 'BlueAlpha' APT

To eventually infect victims with its own GammaDrop malware, BlueAlpha, a Russian state-sponsored advanced persistent threat (APT) outfit, has recently modified its malware distribution chain to exploit Cloudflare Tunnels. As the name implies, Cloudflare Tunnels is a secure tunneling program. By concealing their origins, it can be used to link resources to Cloudflare's network without the need for a publicly routable IP address, thereby shielding Web servers and apps from direct cyberattacks such as distributed denial-of-service (DDoS).

Unfortunately, according to Recorded Future's Insikt Group, companies like BlueAlpha, which employ Cloudflare Tunnels to hide its GammaDrop staging infrastructure from conventional network detection measures, can also use this obfuscation mechanism, just like other legal cloud solutions. According to an investigation released this week by Insikt, "Cloudflare offers the tunneling service for free with the use of the TryCloudflare tool," "The tool allows anyone to create a tunnel using a randomly generated subdomain of trycloudflare.com and have all requests to that subdomain proxied through the Cloudflare network to the Web server running on that host."

The APT then employs DNS fast-fluxing, which makes it more difficult to disrupt BlueAlpha's command-and-control (C2) communications and the hidden infrastructure to mount HTML smuggling attacks that circumvent email security systems. Finally, the researchers from the Insikt Group delivered the GammaDrop malware, which allows credential theft, data exfiltration, and backdoor access to networks. 

BlueAlpha, which originally surfaced in 2014 and has recently targeted Ukrainian firms through spearphishing attacks, shares DNA with other Russian threat groups such as Trident Ursa, Gamaredon, Shuckworm, and Hive0051. GammaLoad is a unique VBScript virus that has been utilized by the APT since at least October 2023. The Insikt Group suggested several mitigations to guard against such attacks, including:

- Boost email security to prevent methods of HTML smuggling.

- Attachments having questionable HTML events should be marked.

- To prevent malicious use of mshta.exe and untrusted.lnk files, employ application control policies.

- Create network rules to mark requests to subdomains of trycloudflare.com.