BlueAlpha, a Russian state-sponsored cyber threat group, has been actively targeting Ukrainian organizations since 2014 by employing persistent spearphishing campaigns to deliver custom malware like GammaLoad.
With the help of this malicious VBScript, it is possible to steal credentials, steal data, and gain persistent backdoor access to networks that have been compromised.
It has adopted Cloudflare Tunnels to stage GammaDrop malware, a strategic shift in its malware delivery chain. By exploiting Cloudflare’s legitimate service, BlueAlpha masks its malicious activity, making it harder to detect and disrupt.
By utilizing this strategy, which is frequently employed by cybercriminal organizations, threat actors are demonstrating an increasing level of sophistication in their utilization of legitimate services for malicious purposes.
Cloudflare Tunnels are utilized by BlueAlpha in order to conceal its GammaDrop staging infrastructure, thereby evading the conventional methods of network detection.
The group leverages HTML smuggling to deliver malware, bypassing email security measures through advanced techniques, and DNS fast-fluxing hinders tracking and disruption of command-and-control (C2) communications.
Cloudflare’s TryCloudflare tool provides a free tunneling service where users can run a local web server and create a tunnel to it, which generates a random subdomain on trycloudflare.com and routes all traffic for that subdomain through the Cloudflare network.
It allows users to expose their local server to the internet without modifying DNS records or firewall configurations, as BlueAlpha utilizes TryCloudflare to mask their staging infrastructure for the GammaDrop deployment.
BlueAlpha has advanced HTML smuggling techniques to bypass detection, as they embed malicious JavaScript within HTML attachments, subtly modifying it to evade security measures.
Recent samples reveal innovative deobfuscation methods, including the exploitation of the onerror HTML event to trigger malicious code execution, which poses a significant threat to security as it can bypass traditional defenses and deliver harmful payloads.
By deploying a sophisticated malware suite, it executes its malicious campaigns, while GammaDrop, the initial infection vector, writes GammaLoad to disk, ensuring persistence on the compromised system.
According to Insikt Group, GammaLoad, a versatile loader, establishes communication with the Command and Control (C2) server and facilitates the deployment of additional malware payloads.
To hinder analysis, it employs advanced obfuscation techniques, such as injecting redundant code and using randomized variable names to obscure the malware’s functionality and structure.
BluEnhance Email Security actively defends against email-borne threats through a layered approach, which inspects emails for malicious HTML content, particularly hidden code disguised as harmless elements, and flags attachments that trigger suspicious HTML events.
Application control policies prevent the execution of known threats like mshta.exe and untrusted shortcuts, while network traffic monitoring identifies connections to potentially malicious subdomains like trycloudflare.com and unauthorized DNS-over-HTTPS channels that could be used for data exfiltration.