BlackWater, a malware that uses Cloudflare Workers for C2 Communication

Crooks continue to abuse the interest in Coronavirus outbreak, now experts found a new backdoor called BlackWater that pretends to provide information about COVID-19.

Experts found a new backdoor malware called BlackWater that pretends to provide information about the COVID-19 outbreak while abusing Cloudflare Workers as an interface to the C2 server.

Cloudflare Workers provide a serverless execution environment that allows users to create entirely new applications or augment existing ones without configuring or maintaining infrastructure.

Cloudflare Workers allow users to run JavaScript in Cloudflare’s data centers. Using a Worker, users can modify your site’s HTTP requests and responses, make parallel requests, or generate responses from the edge.

Researchers from MalwareHunterTeam discovered a suspicious RAR file named “COVID-19-” that was being distributed online, likely through phishing emails.

“Important – COVID-19.rar” -> “Important – COVID-19.docx.exe” (bbc75560752ea882e6eff152427cb00cc1b2daa50351cfef7b10c6dfeea75e34)Interesting sample…@VK_Intel @JAMESWT_MHT @James_inthe_box— MalwareHunterTeam (@malwrhunterteam) March 13, 2020The RAR archive contains a file named “Important – COVID-19” that displays a Word icon. Once opened, the malicious code will extract a Word document to the %UserProfile%downloads folder called “Important – COVID-19.docx.docx” and opens it using the Microsoft Word.

The Word doc is a weaponized document containing information on the COVID-19 virus outbreak, it acts as a dropper for the final payload and executes it.

Upon execution, the BlackWater malware connects to a Cloudflare Worker that acts as a command and control server.

“This is where things get a bit interesting as the malware is then launched using a command line that causes the BlackWater malware to connect to a Cloudflare Worker that acts as a command and control server or at least a passthrough to one.” reported BleepingComputer.

Below the command used by the malware to contact the C2.


The popular malware researcherVitali Kremez told BleepingComputer that the worker contacted by the malware is a front end to a ReactJS Stapi App that is used as a command and control server.

The malware connects the worker, which in turn responds with a JSON encoded string that may contain commands.

According to the experts, the malware is under active development.

The use of a Cloudflare Worker represents a novelty in the threat landscape, it is a design choice that could allow the BlackWater to avoid the detection. Another advantage of using Cloud Workers as command and control is that the malware attack could be easily scaled.

“I think this is why they employ as it returns back the legit Cloudflare proxy IP which acts as a reverse proxy passing the traffic to the C2. It makes blocking the IP traffic impossible given it is Cloudflare (unless the whole Cloudflare worker space is banned) infrastructure while hiding the actual C2.” Kremez told BleepingComputer.

For more technical details read the post published by BleepingComputer:

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(SecurityAffairs –
hacking, passphrases)

The post BlackWater, a malware that uses Cloudflare Workers for C2 Communication appeared first on Security Affairs.