DarkWatchman RAT uses Windows Registry fileless storage mechanism

Pierluigi Paganini December 20, 2021

DarkWatchman is a new lightweight javascript-based Remote Access Trojan (RAT) that uses novel methods for fileless persistence.

Recently Prevailion experts detected a malicious javascript-based Remote Access Trojan (RAT) dubbed DarkWatchman that uses a robust Domain Generation Algorithm (DGA) to contact the C2 infrastructure and novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation. 

The DarkWatchman RAT uses the registry for nearly all temporary and permanent storage, it doesn’t write to disk evading most security tools. 

The DarkWatchman has been distributed through phishing emails that use malicious ZIP archives (named ‘Накладная №12-6317-3621.zip’ (translated: Invoice #12-6317-3621)) containing an executable set to appear to be a text document.

DarkWatchman

The executable is a self-installing WinRAR archive that will install the RAT and keylogger.

“This executable is a WinRAR SFX self installing archive that contains two files: ‘134121811.js’ (the JavaScript RAT) and ‘2204722946’ (the C# source code for the keylogger).” reads the analysis published by Prevailion. “The WinRAR SFX configuration file contains comments in Russian and instructions to drop both files in %TEMP% before executing the .JS file with the name of the WinRAR SFX executable as a command line argument.”

The malware was used by Russian-speaking actors to target mainly Russian entities.

Upon initial execution, the malware first checks the Windows Registry to determine if DarkWatchman has already been installed. Then the user is shown a message that informs him that “Unknown Format” while installing the payloads in the background.

DarkWatchman uses the Windows Registry fileless storage mechanism for the keylogger, It creates a scheduled task is to use WScript to execute the malware at every user log on. 

When the RAT is launched, it executes a PowerShell script which, in turn, compiles the keylogger (using CSC) and executes it.

“The keylogger itself does not communicate with the C2 or write to disk. Instead, it writes it’s keylog to a registry key that it uses as a buffer. During its operation, the RAT scrapes and clears this buffer before transmitting the logged keystrokes to the C2 server.” continues the analysis.

Once launched, DarkWatchmen will execute a PowerShell script that compiles the keylogger using the .NET CSC.exe command and launches it into memory.

“The keylogger itself does not communicate with the C2 or write to disk. Instead, it writes it’s keylog to a registry key that it uses as a buffer. During its operation, the RAT scrapes and clears this buffer before transmitting the logged keystrokes to the C2 server.” states the report.

The malware also stores data to exfiltrate to the registry until it’s transferred to the C2.

DarkWatchman supports the following functionalities:

  • Execute EXE files (with or without the output returned)
  • Load DLL files
  • Execute commands on the command line
  • Execute WSH commands
  • Execute miscellaneous commands via WMI
  • Execute PowerShell commands
  • Evaluate JavaScript
  • Upload files to the C2 server from the victim machine
  • Remotely stop and uninstall the RAT and Keylogger
  • Remotely update the C2 server address or call-home timeout

According to the researcher, DarkWatchman was likely developed to support the operations of RaaS affiliates. 

“One interesting hypothesis is that the ransomware operators could provide something like DarkWatchman to their less technologically capable affiliates, and once the affiliate gains a foothold in the system, it automatically communicates back to domains the operator controls. This would eliminate the need to have the affiliate deploy the ransomware or handle file exfiltration, and would move the ransomware operator from a negotiator role to actively controlling the infection.” concludes the report. “The capabilities and functionality of both the JavaScript and C# elements of DarkWatchman indicate a capable threat actor.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment