TechGuard Blog

Phishing in the BlackWater

With the workforce transitioning to a work-from-home workforce, cybersecurity attackers have begun to change their approach on how to attack users. While phishing has always been a method of attack for cybercriminals, the transition to WFH has given criminals the increased opportunity to exploit users with this method as the shield from the company has been lifted for some users as they try to work from home. Which brings us to our subject matter for the day, BlackWater malware.

BlackWater malware is a very creative and innovative type of phishing attack that uses Cloudflare as an infrastructure to help launch its attack on users. The way BlackWater malware does this is through a combination of user manipulation and the attackers taking advantage of the Cloudflare edge service. The way attackers do this is by creating a special service worker on the Cloudflare service. Which, when used with malicious intent allows a hacker to write javascript that acts as a command and control server or C2 for the attack. The attack works by a user being sent an email or message with a downloadable file that claims it has important information on it about the recent corona outbreak and how the user can remain safe or even check their area for cases. Once the user has downloaded the file, the user has begun the process of having the BlackWater malware installed on their device. Once the malware has been downloaded and ready to execute, the malware will then connect to the Cloudflare worker the attacker has created and have the c2 passthrough the command to the user device. It is believed that the attackers use the Cloudflare as a c2 as a front end to another app that stores the code for the attack. The reason for this is that experts think it is harder for security software to block IP traffic if the software thinks it’s coming from a Cloudflare service.

What can you do to prevent this type of attack?

The first thing anyone can do when receiving an email from an outside source that seems suspicious is to have it sent to their company’s IT team to take a look at the file. In the case of the BlackWater malware attack, if the user were to expand the file before downloading it one thing the user would notice is a .exe attached to the file. This is a good indicator that the file you have been sent has malware attached to it and should be immediately reported to the correct team in your business. Often what happens with attacks like these is that Microsoft has a default viewing option for files that only shows a certain number of characters in the viewing form of a file. If there is an extension needed to view the download, make sure to check it before you download and install it on your device.

Another method for detecting a phishing email is to always check the domain name of the email. Far too often hackers might have a way to find the domain name of fellow employee’s emails through passive recon they do on a company. Once the attackers have obtained a list, they will try to mimic and create a fake email address that looks like an address you might think is from your company. In reality, it contains fake and misspelled domains that will show up as out of your company list. Also, if something feels strange or doesn’t look right, again send it to your security team. It is always better to be safe than sorry. It is never a bad idea to be over cautious with these things.

Written by Adam Voss

Adam Voss graduated from Maryville University with an emphasis on pen-testing. Currently, he works at TechGuard as a cybersecurity analyst. When he's not working on projects or expanding his knowledge in the field to get his certs, he can be found doing something that involves physical exercise or rooting for the cardinals or blues.