Experts found a new backdoor malware called
Researchers from MalwareHunterTeam discovered a suspicious RAR file named “COVID-19-” that was being distributed online, likely through phishing emails.
The RAR archive contains a file named “Important – COVID-19” that displays a Word icon. Once opened, the malicious code will extract a Word document to the %UserProfile%\downloads folder called “Important – COVID-19
The Word doc is a
Upon execution, the BlackWater malware connects to a Cloudflare Worker that acts as a command and control server.
“This is where things get a bit interesting as the malware is then launched using a command line that causes the BlackWater malware to connect to a Cloudflare Worker that acts as a command and control server or at least a
The malware connects the worker, which in turn responds with a JSON encoded string that may contain commands.
According to the experts, the malware is under active development.
The use of a Cloudflare Worker represents a novelty in the threat landscape, it is a design choice that could allow the
“I think this is why they employ as it returns back the legit Cloudflare proxy IP which acts as a reverse proxy passing the traffic to the C2. It makes blocking the IP traffic impossible given it is Cloudflare (unless the whole Cloudflare worker space is banned) infrastructure while hiding the actual C2.” Kremez told BleepingComputer.
For more technical details read the post published by BleepingComputer:
(SecurityAffairs – hacking, passphrases)