##### CYBER THREAT ANALYSIS By Insikt Group® **RUSSIA** December 5, 2024 # BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure **Insikt Group has observed** **BlueAlpha continues to target** **BlueAlpha continues to use domain** **BlueAlpha using Cloudflare Tunnels** **Ukrainian entities with** **name system (DNS) fast-fluxing** **to conceal staging infrastructure** **spearphishing campaigns,** **of GammaLoad command-and-** **used by GammaDrop, an increasingly** leveraging HTML smuggling **control (C2) infrastructure to** popular technique used by threat attachments to deliver Visual Basic complicate tracking and disruption ----- _Note: The analysis cut-off date for this report was August 28, 2024._ ## Executive Summary Insikt Group has tracked an ongoing cyber-espionage campaign targeting Ukrainian-speaking individuals and organizations. This campaign has been conducted by BlueAlpha, a Russian state-sponsored threat activity group that overlaps with Gamaredon, a group operating out of Sevastopol, working under the directive of the Russian Federal Security Service’s (FSB) Centre 18: Centre for Information Security (TsIB). BlueAlpha has been observed delivering malicious HTML smuggling attachments through spearphishing to download and execute GammaDrop and GammaLoad malware variants. BlueAlpha has leveraged Cloudflare Tunnels as part of its GammaDrop staging infrastructure, allowing it to effectively evade traditional network detection mechanisms and further complicate efforts to identify and block its activities. ## Key Findings - BlueAlpha continues to target Ukrainian entities with spearphishing campaigns, leveraging HTML smuggling attachments to deliver Visual Basic Script (VBScript)-based malware GammaLoad. - BlueAlpha has recently started using Cloudflare Tunnels to conceal staging infrastructure used by GammaDrop, an [increasingly popular technique used by cybercriminal threat groups to](https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats) deploy malware. - BlueAlpha continues to use domain name system (DNS) fast-fluxing of GammaLoad command-and-control (C2) infrastructure to complicate tracking and disruption of C2 communications to preserve access to compromised systems. - This campaign has been ongoing since at least early 2024 and has remained largely consistent in its techniques, tactics, and procedures (TTPs), with only slight changes in tooling and infrastructure. ## Background BlueAlpha is a threat activity group that overlaps with the publicly reported groups Gamaredon, Shuckworm, Hive0051, and UNC530. Since at least 2014, BlueAlpha has primarily targeted Ukrainian government and military entities. The Security Service of Ukraine (SBU) has [publicly attributed](https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf) BlueAlpha to the “Office of the FSB of Russia in the Republic of Crimea and the city of Sevastopol", an FSB special project focusing predominantly on Ukraine under the directive of Centre 18: Centre for Information Security. BlueAlpha can be seen in Figure 1 depicting the organization of threat actors attributed to the FSB. 1 CTA-RU-2024-1205 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Threat Analysis Insikt Group has observed, via recent malware sample submissions to Recorded Future Public Sandbox, BlueAlpha abusing Cloudflare Tunnels for GammaDrop staging infrastructure. These tunnels have been leveraged by malicious .lnk files to download and execute GammaDrop. Cloudflare offers this [tunneling service for free with the use of the TryCloudflare tool, which will allow anyone to create a](https://try.cloudflare.com/) tunnel using a randomly generated subdomain of trycloudflare[.]com and have all requests to that subdomain proxied through the Cloudflare network to the web server running on that host. Cloudflare Tunnels have been gaining momentum as a defense evasion technique due to their ease of setup and the fact that they have no cost to the user in most cases. Security vendors have recently [reported the](https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats) use of Cloudflare Tunnels to deliver remote access trojans (RATs) such as AsyncRAT. #### Infection Chain A recent example of BlueAlpha using Cloudflare Tunnels for GammaDrop staging infrastructure was submitted to Recorded Future® Public Sandbox on August 16, 2024. This infection chain follows the 2 CTA-RU-2024-1205 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 3 CTA-RU-2024-1205 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 4 CTA-RU-2024-1205 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 5 CTA-RU-2024-1205 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 6 CTA-RU-2024-1205 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 7 CTA-RU-2024-1205 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 8 CTA-RU-2024-1205 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 9 CTA-RU-2024-1205 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 10 CTA-RU-2024-1205 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Mitigations - Implement email security solutions capable of inspecting and blocking HTML smuggling techniques, particularly attachments with embedded JavaScript. Configure email gateways to flag files with suspicious HTML onerror or onmousemove events, which are commonly used for evasion. - Deploy application control policies to restrict the execution of mshta.exe and block untrusted ``` .lnk files from running. Endpoint Detection and Response (EDR) solutions should monitor mshta.exe activity and generate alerts for unusual command-line parameters associated with ``` external downloads. - Establish network monitoring rules to flag and review traffic to TryCloudflare subdomains, as these are increasingly leveraged malicious activities. - Enable DoH traffic logging and implement monitoring policies to detect unauthorized DoH connections, as these are used by GammaLoad to resolve C2 domains when DNS fails. 11 CTA-RU-2024-1205 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- - Assess suspicious email attachments with Recorded Future Malware Intelligence for instant analysis to understand associated threats quickly. Upload suspicious files to Recorded Future Public Sandbox for further analysis. - Use Recorded Future [Threat Intelligence (TI),](https://www.recordedfuture.com/products/threat-intelligence) [Third-Party Intelligence, and SecOps Intelligence](https://www.recordedfuture.com/products/third-party-intelligence) to monitor real-time output from Network Intelligence analytics to identify suspected targeted intrusion activity involving your organization or key vendors and partners. - Monitor Insikt Group reporting for the latest threat actor tradecraft; tactics, techniques, and procedures (TTPs); targeting; and indicators of compromise (IoCs) to ensure you are informed of the threat. ## Outlook BlueAlpha is likely to continue refining evasion techniques by leveraging widely used, legitimate services like Cloudflare, complicating detection for traditional security systems. Continued enhancements to HTML smuggling and DNS-based persistence will likely pose evolving challenges, especially for organizations with limited threat detection capabilities. Preparedness against these tactics will be crucial for Ukrainian organizations as BlueAlpha’s campaign persists. 12 CTA-RU-2024-1205 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix A — Indicators of Compromise ## Appendix B — MITRE ATT&CK Techniques |Appendix B — MITRE ATT&CK Techniques|Col2| |---|---| |Tactic: Technique|ATT&CK Code| |Initial Access: Spearphishing Attachment|T1566.001| |Execution: Visual Basic|T1059.005| |Execution: JavaScript|T1059.007| |Execution: Malicious File|T1204.002| |Persistence: Registry Run Keys / Startup Folder|T1547.001| |Defense Evasion: HTML Smuggling|T1027.006| |Defense Evasion: Encrypted/Encoded File|T1027.013| |Command and Control: Web Protocols|T1071.001| |Command and Control: Fast Flux DNS|T1568.001| 13 CTA-RU-2024-1205 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix C — Diamond Model of Intrusion Analysis 14 CTA-RU-2024-1205 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- _Recorded Future reporting contains expressions of likelihood or probability consistent_ _[with US Intelligence Community Directive (ICD) 203: Analytic Standards (published](https://irp.fas.org/dni/icd/icd-203.pdf)_ _January 2, 2015). Recorded Future reporting also uses confidence level standards_ _[employed by the US Intelligence Community to assess the quality and quantity of the](https://www.dni.gov/files/ODNI/documents/assessments/ICA-declass-16MAR21.pdf)_ _source information supporting our analytic judgments._ _About Insikt Group[®]_ _Recorded Future’s Insikt Group, the company’s threat research division, comprises_ _analysts and security researchers with deep government, law enforcement, military, and_ _intelligence agency experience. Their mission is to produce intelligence that reduces risk_ _for clients, enables tangible outcomes, and prevents business disruption._ _About Recorded Future[®]_ _Recorded Future is the world’s largest threat intelligence company. Recorded Future’s_ _Intelligence Cloud provides end-to-end intelligence across adversaries, infrastructure,_ _and targets. Indexing the internet across the open web, dark web, and technical_ _sources, Recorded Future provides real-time visibility into an expanding attack surface_ _and threat landscape, empowering clients to act with speed and confidence to reduce_ _risk and securely drive business forward. Headquartered in Boston with offices and_ _employees around the world, Recorded Future works with over 1,800 businesses and_ _government organizations across more than 75 countries to provide real-time, unbiased,_ _and actionable intelligence._ _risk and securely drive business forward. Headquartered in Boston with offices and_ _employees around the world, Recorded Future works with over 1,800 businesses and_ _government organizations across more than 75 countries to provide real-time, unbiased,_ _and actionable intelligence._ _Learn more at recordedfuture.com_ 15 CTA-RU-2024-1205 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) -----