Researchers have uncovered a new malware campaign that uses the COVID-19 pandemic as a lure, and also abuses platform-as-a-service web infrastructure tools to apparently thwart attempts at blocking command-and-control communications.

Dubbed BlackWater, the backdoor malware specifically takes advantage of Cloudflare Workers — an offering of Cloudflare, a popular provider of website operators with content delivery network, DDoS mitigation and internet security services. As Cloudflare explains on its own website, Cloudflare Workers offer a “lightweight JavaScript execution environment that allows developers to augment existing applications or create entirely new ones without configuring or maintaining infrastructure.”

These JavaScript programs enable serverless functions to run directly on Cloudflare’s edge, as close as possible to the end user, where they interact with connections from remote web clients, BleepingComputer explains in a report on BlackWater threat, citing research from the MalwareHunterTeam. Under normal conditions, Workers can be used to modify a website’s HTTP requests and responses, make parallel requests and disable Cloudflare features. But malicious actors are now also using them to act as a C2 server, or at minimum a proxy that acts as a front end to a ReactJS Strapi App that itself performs like a back-end C2 server. BlackWater does this by using a command line to connect to the Cloudflare Worker over attacker-established domains.

SC Media contacted Cloudflare for comment and received the following response: “Cloudflare took immediate action to shut down the malicious domains as soon as we were made aware.”

SentinelLabs researcher Vitali Kremez told BleepingComputer that the attackers likely chose this technique because “it returns back the legit Cloudflare proxy IP, which acts as a reverse proxy passing the traffic to the C2. It makes blocking the IP traffic impossible given it is Cloudflare (unless the whole Cloudflare worker space is banned) infrastructure while hiding the actual C2.”

The malware is delivered via an RAR file — most likely distributed as an attachment via an email phishing campaign — that appears to contain information about the novel coronavirus in the form of Word document. But the file is actually an executable that, upon activation, extracts a decoy Word doc that serves as a distraction while the backdoor is implemented.

The decoy doc observed by MalwareHunterTeam purports to be from the Wessex Learning Trust, a British general secondary education conglomerate, and appears to contain details and instructions for parents and students.

“This is a good example of the power of using Platform-as-a-Service to build code. Unfortunately, it is a malicious example,” said Chris Morales, head of security analytics at Vectra, to SC Media. “CloudFlare was built to support code for remote access just like this. And yes, by running on a Platform as a Service, it makes it difficult to block without stopping access to the entire cloud platform as traffic is legitimate traffic from the site.”

“What this tells me is that the PaaS providers still have a ways to go in ensuring their platforms are not used for malicious means. They need to provide better auditing of the code run on their services and back end,” Morales continued. “Amusingly the Cloudflare website espouses the security benefits of using service workers on the edge and the security of JavaScript. What they did not account for is this code being used against people in a way it was designed for.”

Joseph Carson, chief security scientist and advisory CISO at Thycotic, told SC Media that’s especially important during times of crisis to “always be vigilant and suspicious of any attachments, even when they appear to be coming from legitimate sources.”

“The best way to reduce the risks of such threats is for companies to practice the principle of least privilege,” he added.