BlackWater Description

The BlackWater threat is regarded as new generation malware that may prove to be rather difficult to stop once it is in operation. The authors of the BlackWater malware are attempting to use the populace's fear of the Coronavirus outbreak to propagate this nasty threat. It comes as no surprise that cyber crooks are exploiting a tragedy or an emergency to spread malware or generate cash – they are not known as people of high values and moral standards.


The creators of the BlackWater malware are likely to use phishing emails as an infection vector. According to reports, targeted users would receive an email that claims to contain important information regarding the outbreak of the Coronavirus. The bogus email contains a corrupted attachment called 'Important – COVID-19.rar.' Users are led to believe that they have received an email that contains information, which needs to be reviewed urgently. This is a commonly utilized social engineering technique. If the users open the '.rar' file, they will find a file that appears as nothing more than a harmless document. At first glance, the name of the file appears to be 'Important – COVID-19.docx.' However, the full name of the file is 'Important – COVID-19.docx.exe', but since Microsoft does not show file extensions by default, users are likely not to notice that this is not a document but an executable file. The creators of the BlackWater malware have even made sure that the file uses the Microsoft Office document icon so that users believe that it is a genuine document.

How the BlackWater Threat Operates

If the user launches the executable file that mimics a document, the threat will plant a document file named 'Important – COVID-19.docx.docx' in the %UserProfile%\downloads folder. This is a real document file that users can launch and read via Microsoft Word. The document claims to originate from the Wessex Learning Trust and appears to contain information and tips regarding the Coronavirus outbreak. The information in the document is likely to keep users busy while the BlackWater threat is planting a file called 'sqltuner.exe' in the %UserProfile% \AppData\Local\Library SQL\bin\version 5.0\ folder. What is very innovative about the BlackWater malware is that instead of the threat connecting to a remote C&C (Command & Control) server that the attackers have set up prior to the attack, the threat utilizes genuine Cloudflare Worker services as its C&C server. According to cybersecurity researchers, the reason behind this clever workaround is that the anti-malware utilities may be unable to block IP traffic linked to the unsafe activity of the BlackWater threat unless they block all the traffic affiliated with the infrastructure of the Cloudflare Worker services.

This new threat may inspire other cybercriminals who may model their creations after the BlackWater malware, which is likely to make the job of security tools much more challenging. Make sure that you have installed a genuine anti-virus solution on your system so that you minimize the risks of falling victim to a threat like the BlackWater malware.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

HTML is not allowed.