Sneaky Serpentine#Cloud slithers through Cloudflare tunnels to inject orgs with Python-based malware

A naukri.com initiative

New

Sneaky Ser...

The Register

Image Credit: The Register

A malware campaign known as Serpentine#Cloud is infecting machines through Cloudflare tunnel subdomains, granting attackers access to compromised systems.
The campaign is widespread with infections observed in Western countries like the US, UK, Germany, Singapore, and India.
English-language comments in the code and focus on Western targets suggest a sophisticated actor behind the campaign.
The attackers use Cloudflare's TryCloudflare tunneling services to host and deliver malware, enhancing stealth and bypassing detection.
The attack starts with a phishing email containing a malicious Windows shortcut disguised as a PDF document.
Upon clicking the malicious link, a complex attack chain deploys shellcode to load a payload, using various stages involving batch, VBScript, and Python.
The use of legitimate tools like Cloudflare's tunnels helps the attackers in blending malicious traffic with normal network activity.
The campaign prioritizes stealth and operational agility by using disposable infrastructure and staged delivery payloads.
The attackers evade antivirus detection by utilizing native Windows tools and WebDAV transport over HTTPS during the infection process.
The malware establishes persistence through the Windows startup folder, deploying Python shellcodes to enable full command and control over infected hosts.
The attackers can steal data, exfiltrate sensitive information, and move laterally to other systems with the compromised machines.

Read Full Article

3 Likes

For uninterrupted reading, download the app