In recent news a published report about the spread of Astaroth, a fileless malware that plagued users attracted the attention of the internet security community. This threat ran system tools that used a complex attach chain that used no executables to perform its actions in secret.
After the published report, the group behind the actions of the Astaroth campaign decided to change their tactics. Specifically what they did was moving on to using Cloudflare Workers to continue their campaign by attempting to dodge detection. The process was done in several stages, as explained below.
It starts with a simple Base64 string to ArrayBuffer function, followed by the Base64 encoded URL used to perform the next step of the attack. The third section is used to generate a blob object in the browser memory based off the URL and download it in the browser session. There are filler sections of the file that do not contribute to the process.
By using Cloudflare, the treat actors are adding a layer of security where automated analysis tools or sandboxes would receive the challenge page, rather than the actual payload of Astaroth. Cloudflare IP Geolocation adds a header named 'CF-IPCountry' to all requests that go out of infected machines to the host server. One visitors from Brazilian IPs are able to see the actual second step payload. In order to generate the second step of the attack, the JSON of the URL is parsed, then converted from Base64 to Array buffer, written to the browser's blob storage, renamed to match the HTML file. Once that is done a link is created, and auto clicked to download to the infected machine's browser.
This step begins with a zip file that is created based on the data from the URL. The method of creation has a few advantages versus the usual method of downloading a zip file. The threat actor may create different files for each different target, and it may serve it through a single waypoint. The network traffic may end up blocking download file objects, but the JSON is a natural part of the web, so it won't be blocked. Some security vendors may end up identifying the file object on the network and may send that for analysis. This would end up exposing the operation fairly quickly.
The script file gets saved into the temp directory under the name Lqncxmm:vbvvjjh.js and it gets executed with the Windows Script Host (Wscript). The threat actor uses this feature of Cloudflare to their advantage, as they add a simple random number generator and randomize the URL that downloads the third step payload. In the third step, there are ten randomized and unique worker node links used for a random number between 20,000 and 50,000, used twice for each of the links. One link may have up to 900 million combinations.
Searches for samples of Astaroth using URLhaus showed that at least one analyst was able to take links and to submit them for analysis. Each time the script is run, however, the URLs are different. On systems that run a 32-bit Windows, Cloudflare links are skipped, and Astaroth uses a private Google repository with a static link.
Threat actors using Astaroth seem to be going the extra distance to do their best to avoid detection and to make it hard on researchers and their attempts at analysis. Their use of Cloudflare shows they are looking for innovative ways to generate random payload URLs and to rebuild their operations in case their work is compromised.