Monday, July 13, 18:09 p.m.
Home security BlackWater Malware: Pretends to be a file with a coronavirus information

BlackWater Malware: Pretends to be a file with a coronavirus information

A new malware called BlackWater pretends to be information about the COVID-19 coronavirus while abusing Cloudflare Workers as an interface to the malware server command and control (C2).

Cloudflare Workers are JavaScript programs that run directly from the edge of Cloudflare, so they can interact with remote web clients. These Workers can be used to modify the output of a website behind Cloudflare, disable Cloudflare, or even work as standalone programs. JavaScript.


For example, a Cloudflare Worker can be created to search text in a web server output and replace words in it or just export data back to a web client.

BlackWater uses Cloudflare Workers as the C2 interface

Recently, MalwareHunterTeam discovered a distributed RAR file that pretends to be a file with information about Corovavirus coronavirus (COVID-19) called "Important - COVID-19.rar".

The way the file is distributed is not known at this time, but it is probably via phishing emails (Phishing).

Inside this RAR file is a file called "Important - COVID-19.rar" that uses a Word icon. Unfortunately, as Microsoft hides them file extensions by default, many will simply view this file as its document Word and not as executable and will be more likely to open it.

While victims are reading the COVID-19 document, the malware also extracts the file% UserProfile% \ AppData \ Local \ Library SQL \ bin \ version 5.0 \ sqltuner.exe.

This is where things get a little interesting as the malware starts up using a command line that causes BlackWater malware to connect to a Cloudflare Worker that acts as a command and control server.

If you visit this website directly, users will see the following "HellCat" image.

SentinelLabs chief Vitali Kremez told BleepingComputer that this worker is the front end a ReactJS Strapi application that acts as a command and control server.

Kremez has stated that this C2 will respond with a coded JSON string that may contain commands to run when malware is associated with it with the correct authentication parameters.

When asked why they were using a Cloudflare Worker instead of connecting online with C2, Kremez thought it was more difficult for him software security to block IP traffic without blocking all Cloudflare Worker infrastructure.

While there is still much to learn about this new malware and how it works, it does provide an interesting look at how malware developers use legal infrastructure in cloud in new ways.

Using it CloudWorkers, malware command and control servers become more difficult to block and malware can be easily scaled up as needed.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


MIT: They make a robot handle that will be able to distinguish cables!

MIT researchers have developed a robot handle with the ability to handle very thin objects such as ropes and cables, according to a statement.

Fedora 33: Will contain Nano as the default text editor

Have you ever thought, who is your favorite text editor, when we talk about operating systems based on ...

Hacker was selling databases of the Ukrainian government

A Ukrainian hacker has been arrested for selling confidential information collected from Ukrainian government databases. According to a ...

TikTok downloaded 49 million videos that violated the terms of use

TikTok downloaded more than 49 million videos from users around the world in the second half of 2019, according to ...

United Kingdom: Is Huawei's immediate foreclosure "dangerous"?

Philip Jansen, CEO of the British telecommunications company "BT", stated that any government move demands the immediate exclusion of the Huawei kit from ...

Dark Mode comes in Google Docs, Sheets and Slides for Android

Do you spend a lot of time using Google Docs, Sheets or Slides on your Android phone or tablet? We have good news for you ...

Hackers seek to exploit vulnerabilities in Citrix ADC

Last week, Citrix released fixes for a total of 11 vulnerabilities in some of its most popular products, in which ...

Data from 45 million travelers are on the dark web

Security researchers from Cyble discovered in the web web files of 45 million travelers from various countries with ...

Twitter: Users promote fake death news for celebrities!

Twitter users have used the platform of the popular media network to spread and promote false news of death for ...

Security experts in Australia: Rely on local technologies

Cyber ​​experts have urged Australia to be less dependent on foreign companies, technologies and know-how for ...