A new malware called BlackWater pretends to be information about the COVID-19 coronavirus while abusing Cloudflare Workers as an interface to the malware server command and control (C2).
For example, a Cloudflare Worker can be created to search text in a web server output and replace words in it or just export data back to a web client.
BlackWater uses Cloudflare Workers as the C2 interface
Recently, MalwareHunterTeam discovered a distributed RAR file that pretends to be a file with information about Corovavirus coronavirus (COVID-19) called "Important - COVID-19.rar".
The way the file is distributed is not known at this time, but it is probably via phishing emails (Phishing).
Inside this RAR file is a file called "Important - COVID-19.rar" that uses a Word icon. Unfortunately, as Microsoft hides them file extensions by default, many will simply view this file as its document Word and not as executable and will be more likely to open it.
While victims are reading the COVID-19 document, the malware also extracts the file% UserProfile% \ AppData \ Local \ Library SQL \ bin \ version 5.0 \ sqltuner.exe.
This is where things get a little interesting as the malware starts up using a command line that causes BlackWater malware to connect to a Cloudflare Worker that acts as a command and control server.
If you visit this website directly, users will see the following "HellCat" image.
SentinelLabs chief Vitali Kremez told BleepingComputer that this worker is the front end a ReactJS Strapi application that acts as a command and control server.
Kremez has stated that this C2 will respond with a coded JSON string that may contain commands to run when malware is associated with it with the correct authentication parameters.
When asked why they were using a Cloudflare Worker instead of connecting online with C2, Kremez thought it was more difficult for him software security to block IP traffic without blocking all Cloudflare Worker infrastructure.
Using it CloudWorkers, malware command and control servers become more difficult to block and malware can be easily scaled up as needed.