Blue Alpha Gamma Drop Detection
Query
// BlueAlpha GammaDrop Detection
// https://www.recordedfuture.com/research/bluealpha-abuses-cloudflare-tunneling-service
// BlueAlpha, a state-sponsored cyber threat group linked to the Russian FSB, has been active since 2014. Insikt Group has observed, via recent malware sample submissions to Recorded Future Public Sandbox, BlueAlpha abusing Cloudflare Tunnels for GammaDrop staging infrastructure. These tunnels have been leveraged by malicious .lnk files to download and execute GammaDrop.
let DeviceLNKCreation =
DeviceFileEvents
| where ActionType == @"FileCreated"
| where FileName endswith ".lnk"
| invoke FileProfile(SHA1,100)
| where GlobalPrevalence < 10
// Detect low prevalence LNK file extracted from archive
| distinct DeviceName;
DeviceNetworkEvents
| where ActionType == "HttpConnectionInspected"
| extend ConnectInfo = todynamic(AdditionalFields)
| extend HttpHost = ConnectInfo.host
| where HttpHost endswith ".trycloudflare.com"
| where DeviceName has_any(DeviceLNKCreation)
// Endpoint with new low prevalence LNK created connecting to trycloudflare
// MITRE ATT&CKExplanation
This query is designed to detect potential malicious activity associated with the BlueAlpha cyber threat group, which is linked to the Russian FSB. The group has been observed using Cloudflare Tunnels to facilitate their operations. Here's a simple breakdown of what the query does:
-
Identify Suspicious Files: It looks for the creation of
.lnkfiles (shortcut files) on devices. These files are considered suspicious if they have a low global prevalence, meaning they are not commonly found across many systems. -
Profile the Files: The query uses a profiling function to check the SHA1 hash of these
.lnkfiles to ensure they are indeed rare or unusual. -
Network Activity Monitoring: It monitors network events where HTTP connections are inspected. Specifically, it looks for connections to domains ending with
.trycloudflare.com, which is associated with Cloudflare Tunnels. -
Correlate File and Network Activity: The query checks if the devices that created the suspicious
.lnkfiles are also the ones making connections to the Cloudflare Tunnel domains. This correlation helps identify if the unusual file creation is linked to potentially malicious network activity.
Overall, the query aims to detect endpoints that might be involved in BlueAlpha's activities by identifying rare shortcut files and their associated network connections to Cloudflare Tunnels.
Details

Steven Lim
Released: December 7, 2024
Tables
Keywords
Operators