BlackWater, a new backdoor malware pretending as COVID-19 information abused Cloudflare Workers as an interface to the malware’s command and control (C2) server.
Example, a Cloudflare Worker can be created to search for text in a web server’s output and replace words in it or to simply output data back to a web client.
MalwareHunterTeam found a RAR file called “Important – COVID-19.rar”. being spread pretending to be information about the Coronavirus (COVID-19).
The method of distribution of this file is currently unknown but it is believed to be distributed through phishing emails.
This RAR file contains a file called “Important – COVID-19.docx.exe” which has a Word icon. Since, Microsoft hides file extensions by default, the victims think this file as a Word document rather than an executable and may open it.
When the file is opened, the malware will extract a Word document to the %UserProfile%\downloads folder called “Important – COVID-19.docx.docx” and opens it in Word.
The document which is used by the malware as a decoy, contains information on the COVID-19 virus, and it installs the rest of the malware and executes it on the computer.
When the victims take a look at the COVID-19 document, the malware extracts the %UserProfile%\AppData\Local\Library SQL\bin\version 5.0\sqltuner.exe file.
The malware is then launched using a command line that causes the BlackWater malware to connect to a Cloudflare Worker that acts as a command and control server or at least a passthrough to one.
According to the head of SentinelLabs, Vitali Kremez this worker is a front end to a ReactJS Strapi App that acts as a command and control server.
A Cloudflare Worker is used rather than connecting directly to the C2, so that it makes it difficult for security software to block IP traffic without blocking all of Cloudflare’s Worker infrastructure.
Using Cloud Workers, traffic to malware command & control servers become harder to block and the malware operation can be easily ascended.