BlackWater Backdoor Finds New Way to Misuse Cloudflare Workers

Delaware, USA – March 16, 2020 – BlackWater backdoor uses legitimate cloud infrastructure to make it harder to track and block its command-and-control communications. Cloudflare Workers platform provides a serverless execution environment for both developers who want to create new apps, and malware authors wanting to hide malicious traffic from security solutions. MalwareHunterTeam found a RAR file named “Important – COVID-19.docx.exe”, cybercriminals seem to be spreading it via phishing emails exploiting hype around coronavirus and quarantines. The malware extracts a Word document containing information on the COVID-19 and opens it while the BlackWater backdoor is installing. When launched, the malware connects to a Cloudflare Worker that is used for command-and-control communications. Vitali Kremez, Head of SentinelLabs, analyzed the sample and discovered that this worker is a front end to a ReactJS Strapi App.

“The BlackWater malware is, by and large, a newer generation malware taking advantage of the ReactJS Strapi App for the backend checking, leveraging Cloudflare workers resolvers and employing JSON-based parser inside its DLL passing the server argument directly. The check-ins bear the “blackwater” marker as well passing either email @ black.water or @ black64.water depending on the architecture,” the researcher told to BleepingComputer. “The malware appears to be novel and its JSON-based parser with the newer generation ReactJS backend server architecture is indicative of the active development amid the CoronaVirus outbreak.”

Last fall, Astaroth malware authors misused Cloudflare Workers platform to spread the updated version of the trojan: malicious archive contained a shortcut with URL that led to a script created using the Cloudflare Workers dashboard which downloaded the final payload. To uncover such threats you can use Windows Security Monitor rule pack that performs statistical analysis and profiling of Microsoft Windows and Active Directory basic security events: https://my.socprime.com/en/integrations/windows-security-monitor