silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,210
Read more below:A new malicious campaign is actively distributing a new Astaroth Trojan variant by abusing the Cloudflare Workers serverless computing platform to avoid detection and block automated analysis attempts.
Cloudflare Workers are scripts that run on Cloudflare servers from "data centers across 193 cities in 90 countries" and allow one to execute any JavaScript code without having to worry about infrastructure maintenance.
"Workers has a free plan which anyone or anything can sign up and get 100,000 total requests per day. You can create unlimited number of workers per account," as Check Point malware researcher Marcel Afrahim who discovered this Astaroth variant found.
Cloudflare Workers are used by Astaroth's operators as part of a three-stage infection process, starting with a phishing e-mail that comes with an HTML attachment containing obfuscated JavaScript code and linking to a domain that sits behind Cloudflare's infrastructure.
This domain is used to deliver several types of payloads in JSON format depending on the target's location to allow the attackers to quickly change the malicious files for various targets and to avoid getting blocked based on file object types sent to their potential victims' computers.
Astaroth Trojan Uses Cloudflare Workers to Bypass AV Software
A new malicious campaign is actively distributing a new Astaroth Trojan variant by abusing the Cloudflare Workers serverless computing platform to avoid detection and block automated analysis attempts.
www.bleepingcomputer.com
Threat Actor behind Astaroth is now using Cloudflare Workers to bypass your Security Solutions.
TLDR? Skip to the Final Comments.
medium.com
Last edited: