HomesecurityBlackWater Malware: Pretends to be a file with a coronavirus information

BlackWater Malware: Pretends to be a file with a coronavirus information

A new malware called BlackWater pretends to be information about the COVID-19 coronavirus while abusing Cloudflare Workers as an interface to the malware server command and control (C2).

Cloudflare Workers are JavaScript programs that run directly from the edge of Cloudflare, so they can interact with remote web clients. These Workers can be used to modify the output of a website behind Cloudflare, disable Cloudflare, or even work as standalone programs. JavaScript.

For example, a Cloudflare Worker can be created to search text in a web server output and replace words in it or just export data back to a web client.

BlackWater uses Cloudflare Workers as the C2 interface

Recently, MalwareHunterTeam discovered a distributed RAR file that pretends to be a file with information about Corovavirus coronavirus (COVID-19) called "Important - COVID-19.rar".

The way the file is distributed is not known at this time, but it is probably via phishing emails (Phishing).

Inside this RAR file is a file called "Important - COVID-19.rar" that uses a Word icon. Unfortunately, as Microsoft hides them file extensions by default, many will simply view this file as its document Word and not as executable and will be more likely to open it.

While victims are reading the COVID-19 document, the malware also extracts the file% UserProfile% \ AppData \ Local \ Library SQL \ bin \ version 5.0 \ sqltuner.exe.

This is where things get a little interesting as the malware starts up using a command line that causes BlackWater malware to connect to a Cloudflare Worker that acts as a command and control server.

If you visit this website directly, users will see the following "HellCat" image.

SentinelLabs chief Vitali Kremez told BleepingComputer that this worker is the front end a ReactJS Strapi application that acts as a command and control server.

Kremez has stated that this C2 will respond with a coded JSON string that may contain commands to run when malware is associated with it with the correct authentication parameters.

When asked why they were using a Cloudflare Worker instead of connecting online with C2, Kremez thought it was more difficult for him software security to block IP traffic without blocking all Cloudflare Worker infrastructure.

While there is still much to learn about this new malware and how it works, it does provide an interesting look at how malware developers use legal infrastructure in cloud in new ways.

Using it CloudWorkers, malware command and control servers become more difficult to block and malware can be easily scaled up as needed.

Teo Ehc
Be the limited edition.