According to researchers Matt Stafford and Sherman Smith, the RAT “uses novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation,” and it “represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and thus never writes anything to disc, allowing it to operate beneath or around the detection threshold of most security tools.”
The virus, dubbed DarkWatchman by Prevailion’s Adversarial Counterintelligence Team (PACT), uses a flexible domain generation algorithm (DGA) to identify its command-and-control (C2) infrastructure and stores all of its data in the Windows Registry, allowing it to avoid antimalware engines.
This new technique has the interesting side effect of eliminating the need for ransomware operators to employ associates, who are usually in charge of releasing the file-locking software and handling the file exfiltration. Using DarkWatchman as a prelude to ransomware deployments also gives the ransomware’s core developers more control over the operation than just negotiating ransoms.
DarkWatchman is a stealthy conduit for additional malicious activity that is sent via spear-phishing emails posing as “Free storage expiration notification” for a cargo delivered by Russian shipment company Pony Express. The emails include a fictitious invoice in the form of a ZIP archive, which contains the payload required to infect a Windows PC.
The Researchers analysed that “Because the binary is stored in the registry as encoded text, DarkWatchman is persistent even though its executable is never (permanently) copied to disc; it also means that DarkWatchman’s operators can update (or replace) the malware every time it’s executed.“
DarkWatchman has yet to be linked to a hacking group, but Prevailion described the crew as a “capable threat actor,” noting the malware’s exclusive targeting of Russian victims as well as the source code samples’ typographical errors and misspellings, raising the possibility that the operators are not native English speakers.
The researchers concluded that, “It appears that the designers of DarkWatchman found and exploited the Windows Registry’s complexity and opacity to work beneath or around the detection threshold of security tools and analysts alike. Registry modifications are commonplace, and it can be difficult to discern whether changes are aberrant or outside the boundaries of typical OS and programme tasks.“