A new JavaScript-based remote access Trojan (RAT) propagated via
a social engineering campaign has been observed employing sneaky
“fileless” techniques as part of its detection-evasion methods to
elude discovery and analysis.
Dubbed DarkWatchman by researchers from Prevailion’s
Adversarial Counterintelligence Team (PACT), the malware uses a
resilient domain generation algorithm (DGA[1]) to identify its
command-and-control (C2) infrastructure and utilizes the Windows
Registry for all of its storage operations, thereby enabling it to
bypass antimalware engines.
The RAT “utilizes novel methods for fileless persistence,
on-system activity, and dynamic run-time capabilities like
self-updating and recompilation,” researchers Matt Stafford and
Sherman Smith said[2], adding it “represents
an evolution in fileless malware techniques, as it uses the
registry for nearly all temporary and permanent storage and
therefore never writes anything to disk, allowing it to operate
beneath or around the detection threshold of most security
tools.”
Prevailion said that an unnamed enterprise-sized organization in
Russia was one among the targeted victims, with a number of malware
artifacts identified starting November 12, 2021. Given its backdoor
and persistence features, the PACT team assessed that DarkWatchman
could be initial access and reconnaissance tool for use by
ransomware groups.
An interesting consequence of this novel development is that it
completely obviates the need for ransomware operators to recruit
affiliates, who are typically in charge of dropping the
file-locking malware and handling the file exfiltration. Using
DarkWatchman as a prelude for ransomware deployments also equips
the core developers of the ransomware with better oversight over
the operation beyond negotiating ransoms.
Distributed via spear-phishing emails that masquerade as “Free
storage expiration notification” for a consignment delivered by
Russian shipment company Pony Express, DarkWatchman provides a
stealthy gateway for further malicious activity. The emails come
attached with a purported invoice in the form of a ZIP archive
that, in turn, contains the payload necessary to infect the Windows
system.
The novel RAT is both a fileless JavaScript RAT and a C#-based
keylogger, the latter of which is stored in the registry to avoid
detection. Both the components are also extremely lightweight. The
malicious JavaScript code just takes about 32kb, while the
keylogger barely registers at 8.5kb.
“The storage of the binary in the registry as encoded text means
that DarkWatchman is persistent yet its executable is never
(permanently) written to disk; it also means that DarkWatchman’s
operators can update (or replace) the malware every time it’s
executed,” the researchers said.
Once installed, DarkWatchman can execute arbitrary binaries,
load DLL files, run JavaScript code and PowerShell commands, upload
files to a remote server, update itself, and even uninstall the RAT
and keylogger from the compromised machine. The JavaScript routine
is also responsible for establishing persistence by creating a
scheduled task that runs the malware at every user log on.
“The keylogger itself does not communicate with the C2 or write
to disk,” the researchers said. “Instead, it writes its keylog to a
registry key that it uses as a buffer. During its operation, the
RAT scrapes and clears this buffer before transmitting the logged
keystrokes to the C2 server.”
DarkWatchman has yet to be attributed to a hacking group, but
Prevailion characterized the crew as a “capable threat actor,”
alongside pointing out the malware’s exclusive targeting of victims
located in Russia and the typographical errors and misspellings
that were identified in the source code samples, raising the
possibility that the operators may not be native English
speakers.
“It would appear that the authors of DarkWatchman identified and
took advantage of the complexity and opacity of the Windows
Registry to work underneath or around the detection threshold of
security tools and analysts alike,” the researchers concluded.
“Registry changes are commonplace, and it can be difficult to
identify which changes are anomalous or outside the scope of normal
OS and software functions.”
Read more https://thehackernews.com/2021/12/new-fileless-malware-uses-windows.html