applyloginsubscribe
Source linked

Des logiciels malveillants se cachent dans MSI Wallpaper via Cloudflare Workers et R2

isc.sans.edu@threat_watch3 hours ago·Cybersecurity·5 comments

Un fichier JavaScript de 2 Mo avec obfuscation ROT13 déclenche une chaîne qui retire une charge utile steganographique de workers.dev et r2.dev, dissimulant un .NET DLL dans un fond JPEG.

cloudflare workerscloudflare r2sans iscpowershellsteganographymalware analysis

That WeTransfer link in your inbox? It dropped a 2MB JavaScript file called "Remittance Advice.js" with SHA256 8a83de81fbac4eb0961f3d58982f299664a5fa4c874c7469e69f85f3fc5bd33f. Inside, 99% of it is junk for-loops that do nothing. The real code runs PowerShell through WMI—hidden window, no profile—to decode an environment variable.

The obfuscation trick is ROT13. After decoding, it calls powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command [ScriptBlock]::Create(${env:INTERNAL_DB_CACHE}). Nothing fancy, but still effective enough to bypass signature scanners that don't trace environment variable provenance.

Cloudflare Workers and R2 Host the Stego Payload

The decoded command fetches a JPEG file from hxxp://icy-lab-0431[.]guilherme-telecomunicacoes2024[.]workers[.]dev/mCSlB — a Cloudflare Workers free subdomain. Inside that JPEG, the real payload is delimited with "IN-" and "-in1", with all "A" characters replaced by "#" to defeat naive Base64 scanning. Once cleaned and decoded, it's a .NET DLL (SHA256:184a3008adff54cb345a599b4f3ca0c7bde29d8ac8379783ff40cd4e7ecc931b) that's a modified version of the open-source Microsoft.Win32.TaskScheduler library from GitHub.

The campaign doesn't stop there. PowerShell also pulls hxxps://pub-a06eb79f0ebe4a6999bcc71a2227d8e3[.]r2[.]dev/snake.png — another image from Cloudflare R2, an S3-compatible object storage. That PNG likely contains another steganographic payload, typical of .NET loaders that extract data from image pixels.

Why This Matters for Defenders

Threat actors are betting you don't monitor Cloudflare Workers or R2 domains. The technique is the same one Mertens reported a few months ago, but it's back with better infrastructure. The use of WeTransfer for initial delivery, Cloudflare's free tier for staging, and a custom TaskScheduler DLL for persistence skips past most email gateways and EDRs that focus on common file types.

Anyone running Windows shop should check for any process spawning PowerShell via WMI with hidden windows, and log environment variable modifications. Look for outbound connections to *.workers.dev and *.r2.dev that aren't tied to legitimate Cloudflare deployments. The SANs diary includes full IOCs. Expect more variants—this pattern isn't going away.

Source: The Evil MSI Background is Back!, (Fri, Jun 5th)
Domain: isc.sans.edu

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
NSO Group Violates Court Order With Fresh Pegasus Attack on WhatsApp

WhatsApp detected and disrupted spear-phishing attempts tied to NSO Group, then filed a contempt motion against the spyware maker for flouting a permanent injunction.

Meta AI Chatbot Bug Let Hackers Hijack 20,000 Instagram Accounts

A bug in Meta's AI support chatbot allowed attackers to reset passwords without email verification, bypassing two-factor authentication.

Meta's AI Support Bot Handed Over Instagram Accounts on Demand

Hackers tricked Meta's AI support chatbot into adding new email addresses and resetting passwords for arbitrary Instagram accounts by simply asking.

Laravel Patches Security Policy Bypass in 13.12.0 and 12.61.1

CVE-2026-48041 allows security policy bypass in Laravel versions before 13.12.0 and 12.61.1; patch immediately.

Comments load interactively on the live page.