BlackWater

BlackWater is the name of a new, threatening backdoor disguised as a COVID-19 leaflet, which exploits the Cloudflare Workers environment to establish communication with its Command and Control server. The backdoor spreads in the form of a RAR archive, and the crooks behind it have named it “Important – COVID-19.rar.” The malware seems to be spreading via phishing emails, although the main infection vector has yet to be fully confirmed.

A Corrupted Executable Hidden behind an MS Word Document
When unzipped, the file looks like an innocuous MS Word Document called “Important – COVID-19.docx.” However, this is not its full name because file extensions are hidden by default, and this fil, in particular, contains an executable extension (.exe) after the .docx one. Since the executable remains invisible by default, an unsuspecting PC user is very likely to open what looks like an information leaflet on the most talked about topic in the world today.

If opened, the executable places an MS Word document in the user’s Downloads folder. The document, which now has not one but two .docx extensions, shows a text regarding the Coronavirus. This text is aimed to distract the readers, for another execution takes place at the same time. When the latter has ended, the victim gets a new file:
%UserProfile%\AppData\Local\Library SQL\bin\version 5.0\sqltuner.exe.

When launched, the sqltuner executable establishes a connection between the BlackWater backdoor nad an external C2 server, and this connection runs through a Cloudflare Worker directly. It is a novel threatening piece, which aims to evade security software by taking advantage of Cloudflare’s legit proxy IP.