BlackWater Malware exploits Cloudflare Workers for C2 Communication


BlackWater, a new backdoor malware pretending as COVID-19 information abused Cloudflare Workers as an interface to the malware’s command and control (C2) server.

Cloudflare Workers are JavaScript programs that run directly on Cloudflare’s edge so that they can interact with connections from remote web clients. These Workers can be used to modify the output of a web site behind Cloudflare, disable Cloudflare features, or even act as independent JavaScript programs running on the edge that displays output.

Example, a Cloudflare Worker can be created to search for text in a web server’s output and replace words in it or to simply output data back to a web client.

MalwareHunterTeam found a RAR file called “Important – COVID-19.rar”. being spread pretending to be information about the Coronavirus (COVID-19).

The method of distribution of this file is currently unknown but it is believed to be distributed through phishing emails.

This RAR file contains a file called “Important – COVID-19.docx.exe” which has a Word icon. Since, Microsoft hides file extensions by default, the victims think this file as a Word document rather than an executable and may open it.

When the file is opened, the malware will extract a Word document to the %UserProfile%\downloads folder called “Important – COVID-19.docx.docx” and opens it in Word.

The document which is used by the malware as a decoy, contains information on the COVID-19 virus, and it installs the rest of the malware and executes it on the computer.

When the victims take a look at the COVID-19 document, the malware extracts the %UserProfile%\AppData\Local\Library SQL\bin\version 5.0\sqltuner.exe file.

The malware is then launched using a command line that causes the BlackWater malware to connect to a Cloudflare Worker that acts as a command and control server or at least a passthrough to one.

According to the head of SentinelLabs, Vitali Kremez this worker is a front end to a ReactJS Strapi App that acts as a command and control server.

A Cloudflare Worker is used rather than connecting directly to the C2, so that it makes it difficult for security software to block IP traffic without blocking all of Cloudflare’s Worker infrastructure.

Using Cloud Workers, traffic to malware command & control servers become harder to block and the malware operation can be easily ascended.

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    Europol arrests SIM Swap Criminal Groups That Stole Millions

    Previous article

    US Democratic Party Logo changed to a Rat in Google Search

    Next article

    You may also like

    More in Malware


    Leave a reply

    Your email address will not be published. Required fields are marked *