According to researchers Matt Stafford and Sherman Smith, the RAT “uses novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation,” and it “represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and thus never writes anything to disc, allowing it to operate beneath or around the detection threshold of most security tools.”

The virus, dubbed DarkWatchman by Prevailion’s Adversarial Counterintelligence Team (PACT), uses a flexible domain generation algorithm (DGA) to identify its command-and-control (C2) infrastructure and stores all of its data in the Windows Registry, allowing it to avoid antimalware engines.

To avoid detection and analysis, a novel JavaScript-based remote access Trojan (RAT) spread through a social engineering campaign has been spotted using stealthy “fileless” methods as part of its advantage.

This new technique has the interesting side effect of eliminating the need for ransomware operators to employ associates, who are usually in charge of releasing the file-locking software and handling the file exfiltration. Using DarkWatchman as a prelude to ransomware deployments also gives the ransomware’s core developers more control over the operation than just negotiating ransoms.

DarkWatchman is a stealthy conduit for additional malicious activity that is sent via spear-phishing emails posing as “Free storage expiration notification” for a cargo delivered by Russian shipment company Pony Express. The emails include a fictitious invoice in the form of a ZIP archive, which contains the payload required to infect a Windows PC.

The new RAT is a fileless JavaScript RAT as well as a C#-based keylogger that is stored in the registry to avoid detection. In addition, both components are extremely light. The malicious JavaScript code is only 32kb in size, while the keylogger is only 8.5kb.

The Researchers analysed that “Because the binary is stored in the registry as encoded text, DarkWatchman is persistent even though its executable is never (permanently) copied to disc; it also means that DarkWatchman’s operators can update (or replace) the malware every time it’s executed.

DarkWatchman has yet to be linked to a hacking group, but Prevailion described the crew as a “capable threat actor,” noting the malware’s exclusive targeting of Russian victims as well as the source code samples’ typographical errors and misspellings, raising the possibility that the operators are not native English speakers.

The researchers concluded that, “It appears that the designers of DarkWatchman found and exploited the Windows Registry’s complexity and opacity to work beneath or around the detection threshold of security tools and analysts alike. Registry modifications are commonplace, and it can be difficult to discern whether changes are aberrant or outside the boundaries of typical OS and programme tasks.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s