A recent malware campaign, codenamed SERPENTINE#CLOUD by Securonix, has emerged, utilizing Cloudflare Tunnel subdomains to host and distribute dangerous payloads through phishing emails. The campaign targets users primarily in the United States, United Kingdom, Germany, and various other locations across Europe and Asia.
According to security researcher Tim Peck, the attack initiates with fraudulent emails themed around payments or invoices. These emails contain links to zipped documents, which ultimately house Windows shortcut (LNK) files that masquerade as legitimate documents. This tactic is designed to deceive victims into opening the files, setting off the malicious download and execution process.
The infection mechanism involves a sophisticated multi-step approach, leading to the execution of a Python-based shellcode loader. This loader, once activated, deploys Intruders packed with software such as the open-source Donut loader directly into memory, avoiding detection by antivirus software. It’s reported that the use of Cloudflare’s infrastructure not only facilitates the delivery of these harmful files but also obscures the actors’ activities, blurring the line between benign and suspicious behaviors.
Securonix noted the campaign’s unique adaptability in initial access methods, shifting from URL files to LNK files disguised as PDFs. This innovative strategy challenges traditional cybersecurity defenses, making it increasingly difficult to block malicious activities. Furthermore, previous variations of this campaign have introduced various malware types, including AsyncRAT and GuLoader, indicating that the threat landscape remains dynamic and complex. For additional details, see the analysis by Securonix here and learn more about the threat activity cluster here.