Security researchers spotted BlackWater malware leveraging a Cloudflare Worker for command-and-control (C&C) functionality. MalwareHunterTeam observed that the threat activity began with an RAR file called "Important - COVID-19.rar." The file pretended to contain important information about the global COVID-19 outbreak, an event which other malware authors have already capitalized on with their own attack campaigns. In actuality, this file contained a file called "Important - COVID-19.docx.exe" that employed a Word icon to trick users into clicking on it. The campaign loaded a decoy document entitled "Important - COVID-19.docx.docx" for those who complied.
Decoy COVID-19 Information Document (Source: Bleeping Computer) In the background, the campaign installed the rest of the malware and executed it on the infected device. It then leveraged the command line to enable BlackWater to connect to a Cloudflare Worker, a JavaScript program which can engage with remote web client connections at Cloudflare's edge. In this particular case, the Woker was a front end to a ReactJS Strapi App that functioned as a C&C server. Vitali Kremez, director of Sentinel Labs, told Bleeping Computer that BlackWater likely used a Cloudflare Worker as its C&C server for the purpose of evading detection:
I think this is why they employ as it returns back the legit Cloudflare proxy IP which acts as a reverse proxy passing the traffic to the C2. It makes blocking the IP traffic impossible given it is Cloudflare (unless the whole Cloudflare worker space is banned) infrastructure while hiding the actual C2.
The exact distribution method for BlackWater was unknown at the time of writing, but Bleeping Computer wrote that a phishing email was the likely culprit. With that said, organizations should make an effort to protect themselves against malware such as BlackWater by educating their employees about some of the most common types of phishing campaigns in circulation today. This resource is a good place to start.
