{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/tunneling/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Warlock"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["webshell","ransomware","tunneling"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThis brief describes a Warlock attack, as detailed in a Trend Micro analysis, involving the use of web shells, tunneling, and ransomware deployment. The Warlock group compromises systems by leveraging web shells for initial access and establishing tunnels for persistent access and command and control. This access is then used to deploy ransomware, encrypting critical data and demanding ransom payments from victims. The specific ransomware family and web shell variants employed are not detailed in the provided context, but the overall attack flow is consistent with financially motivated cybercrime operations. Defenders should prioritize detection of web shell activity, unauthorized tunneling, and ransomware execution to mitigate the risk of compromise by the Warlock group.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains access to the target system by exploiting vulnerabilities to deploy a web shell (details of the vulnerability are not provided).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWeb Shell Execution:\u003c/strong\u003e The attacker executes commands through the web shell to perform reconnaissance and identify valuable targets within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTunnel Establishment:\u003c/strong\u003e A tunnel is established to maintain persistent access and bypass security controls (specific tunneling technology not provided).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker leverages the established tunnel to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker attempts to harvest credentials to gain elevated privileges and access to critical resources (specific tools/techniques not provided).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRansomware Deployment:\u003c/strong\u003e The attacker deploys ransomware across the network, encrypting files and rendering systems unusable.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRansom Demand:\u003c/strong\u003e A ransom note is left on the compromised systems, demanding payment for decryption keys.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration (Possible):\u003c/strong\u003e Prior to encryption, the attacker may exfiltrate sensitive data to further pressure victims into paying the ransom (not explicitly stated, but a common practice).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Warlock attack results in significant disruption to victim organizations through ransomware deployment. Systems are rendered unusable due to encryption, potentially leading to operational downtime and financial losses. If data exfiltration occurs, the confidentiality of sensitive information is also compromised, increasing the potential for reputational damage and legal liabilities. The lack of specific victim counts and sector targeting data in the provided context limits a comprehensive impact assessment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy a web shell detection rule (see below) to identify suspicious web shell activity on web servers based on process creation.\u003c/li\u003e\n\u003cli\u003eImplement a network monitoring rule (see below) to detect unusual tunneling activity based on network connections from web servers.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring to detect unauthorized modifications to web server files that could indicate web shell installation (reference file_event log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T05:26:28Z","date_published":"2026-03-19T05:26:28Z","id":"/briefs/2024-05-warlock-webshell-ransomware/","summary":"The Warlock group utilizes web shells and tunneling to deploy ransomware within compromised environments, impacting victim data confidentiality and availability.","title":"Warlock Group Deploys Web Shells, Tunnels, and Ransomware","url":"https://feed.craftedsignal.io/briefs/2024-05-warlock-webshell-ransomware/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend","Elastic Endgame"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","tunneling","yuze","proxy"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule detects the execution of Yuze, an open-source tunneling tool written in C, which is commonly used for intranet penetration. Yuze supports both forward and reverse SOCKS5 proxy tunneling and is often executed using \u003ccode\u003erundll32\u003c/code\u003e to load \u003ccode\u003eyuze.dll\u003c/code\u003e with the \u003ccode\u003eRunYuze\u003c/code\u003e export. Threat actors can leverage Yuze to proxy command and control (C2) communications or to pivot within a network. The detection focuses on identifying processes with command-line arguments indicative of Yuze execution, specifically those involving \u0026ldquo;reverse,\u0026rdquo; \u0026ldquo;-c,\u0026rdquo; \u0026ldquo;proxy,\u0026rdquo; \u0026ldquo;fwd,\u0026rdquo; and \u0026ldquo;-l\u0026rdquo; parameters. This activity has been observed in real-world campaigns, increasing the importance of timely detection and response.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a target system through various means (e.g., phishing, exploitation of vulnerabilities).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or drops the \u003ccode\u003eyuze.dll\u003c/code\u003e file onto the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003erundll32.exe\u003c/code\u003e to execute \u003ccode\u003eyuze.dll\u003c/code\u003e, calling the \u003ccode\u003eRunYuze\u003c/code\u003e export.\u003c/li\u003e\n\u003cli\u003eThe command line includes parameters to establish a reverse or forward SOCKS5 proxy tunnel (e.g., \u003ccode\u003erundll32 yuze.dll,RunYuze reverse -c \u0026lt;ip\u0026gt;:\u0026lt;port\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eYuze establishes a tunnel to a remote server, allowing the attacker to proxy network traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established tunnel to pivot within the network and access internal resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may proxy C2 traffic through the tunnel, masking the true origin of the commands.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions on the internal network, such as data exfiltration or lateral movement, using the tunnel as a covert channel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish covert communication channels, bypass network security controls, and proxy malicious traffic, potentially leading to unauthorized access to sensitive data, lateral movement within the network, and data exfiltration. The use of Yuze can obscure the origin of attacks, making attribution more difficult and hindering incident response efforts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Yuze Tunneling via Rundll32\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003eyuze.dll\u003c/code\u003e via \u003ccode\u003erundll32.exe\u003c/code\u003e with specific command-line arguments.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging (Sysmon Event ID 1 or Windows Security Auditing) to capture the necessary command-line information for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of \u003ccode\u003erundll32.exe\u003c/code\u003e executing \u003ccode\u003eyuze.dll\u003c/code\u003e, focusing on the parent processes and network connections.\u003c/li\u003e\n\u003cli\u003eBlock the C2/relay IP or domain found in the \u003ccode\u003e-c\u003c/code\u003e argument at DNS/firewall, as described in the Triage and Analysis section of the rule\u0026rsquo;s note.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-yuze-tunneling/","summary":"This alert detects potential protocol tunneling activity via the execution of Yuze, a lightweight open-source tunneling tool often used by threat actors for intranet penetration via forward and reverse SOCKS5 proxy tunneling.","title":"Potential Protocol Tunneling via Yuze","url":"https://feed.craftedsignal.io/briefs/2024-01-yuze-tunneling/"}],"language":"en","title":"CraftedSignal Threat Feed — Tunneling","version":"https://jsonfeed.org/version/1.1"}