Monday, January 25, 23:25
Home security BlackWater Malware: Pretends to be a file with a coronavirus information

BlackWater Malware: Pretends to be a file with a coronavirus information

A new malware called BlackWater pretends to be information about the COVID-19 coronavirus while abusing Cloudflare Workers as an interface to the malware server command and control (C2).

Cloudflare Workers are JavaScript programs that run directly from the edge of Cloudflare, so they can interact with remote web clients. These Workers can be used to modify the output of a website behind Cloudflare, disable Cloudflare, or even work as standalone programs. JavaScript.

For example, a Cloudflare Worker can be created to search text in a web server output and replace words in it or just export data back to a web client.

BlackWater uses Cloudflare Workers as the C2 interface

Recently, MalwareHunterTeam discovered a distributed RAR file that pretends to be a file with information about Corovavirus coronavirus (COVID-19) called "Important - COVID-19.rar".

The way the file is distributed is not known at this time, but it is probably via phishing emails (Phishing).

Inside this RAR file is a file called "Important - COVID-19.rar" that uses a Word icon. Unfortunately, as Microsoft hides them file extensions by default, many will simply view this file as its document Word and not as executable and will be more likely to open it.

While victims are reading the COVID-19 document, the malware also extracts the file% UserProfile% \ AppData \ Local \ Library SQL \ bin \ version 5.0 \ sqltuner.exe.

This is where things get a little interesting as the malware starts up using a command line that causes BlackWater malware to connect to a Cloudflare Worker that acts as a command and control server.

If you visit this website directly, users will see the following "HellCat" image.

SentinelLabs chief Vitali Kremez told BleepingComputer that this worker is the front end a ReactJS Strapi application that acts as a command and control server.

Kremez has stated that this C2 will respond with a coded JSON string that may contain commands to run when malware is associated with it with the correct authentication parameters.

When asked why they were using a Cloudflare Worker instead of connecting online with C2, Kremez thought it was more difficult for him software security to block IP traffic without blocking all Cloudflare Worker infrastructure.

While there is still much to learn about this new malware and how it works, it does provide an interesting look at how malware developers use legal infrastructure in cloud in new ways.

Using it CloudWorkers, malware command and control servers become more difficult to block and malware can be easily scaled up as needed.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.



COVID-19 vaccines: Ways to protect supply chains

The development of vaccines for COVID-19 in such a short period of time has created many challenges and these are not only related to ...

How do insurance companies "enhance" ransomware attacks?

Ransomware attacks have increased significantly, with experts warning that their victims should not pay ransom to hackers ....

Russia: "US may be planning retaliation for SolarWinds hack"!

The Russian government warns the country's organizations about possible cyber attacks that the US may carry out, as "retaliation" for the hack ...

iPhone: How to see which apps have access to your contacts

Some iPhone privacy issues go deeper than accessing your contacts list, which exposes your contacts to ...

COVID-19: Google makes vaccination clinics available

Google CEO Sundar Pichai said Monday that the company will make its facilities available to become clinics ...

Netflix offers "studio quality" audio upgrade on Android

Do not be surprised if Netflix sounds better the next time you run a marathon with rows on your Android phone ...

Will Bitcoin return to $ 40.000? There is concern!

Bitcoin lovers who take his return above the level of $ 40.000 for granted have been worried because the demand ...

Avaddon ransomware: Its operators threaten with DDoS attacks to get ransom!

Lately, more and more ransomware gangs tend to threaten their targets with DDoS attacks in order to secure profits ....

Volunteer firefighters will be trained through VR simulation

Volunteer firefighters in the Australian state of Victoria will soon have access to the virtual reality (VR) training that will be available in ...

Tesla: Accuses its former employee of stealing her confidential data!

On January 23, Tesla sued former employee Alex Khatilov for stealing 26.000 confidential documents, including trade secrets. The software ...