DarkWatchman RAT uses Windows Registry fileless storage mechanism

December 20, 2021  By Pierluigi Paganini


DarkWatchman is a new lightweight javascript-based Remote Access Trojan (RAT) that uses novel methods for fileless persistence.

Recently Prevailion experts detected a malicious javascript-based Remote Access Trojan (RAT) dubbed DarkWatchman that uses a robust Domain Generation Algorithm (DGA) to contact the C2 infrastructure and novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation. 

The DarkWatchman RAT uses the registry for nearly all temporary and permanent storage, it doesn’t write to disk evading most security tools. 

The DarkWatchman has been distributed through phishing emails that use malicious ZIP archives (named ‘Накладная №12-6317-3621.zip’ (translated: Invoice #12-6317-3621)) containing an executable set to appear to be a text document.

DarkWatchman

The executable is a self-installing WinRAR archive that will install the RAT and keylogger.

“This executable is a WinRAR SFX self installing archive that contains two files: ‘134121811.js’ (the JavaScript RAT) and ‘2204722946’ (the C# source code for the keylogger).” reads the analysis published by Prevailion. “The WinRAR SFX configuration file contains comments in Russian and instructions to drop both files in %TEMP% before executing the .JS file with the name of the WinRAR SFX executable as a command line argument.”

The malware was used by Russian-speaking actors to target mainly Russian entities.

Upon initial execution, the malware first checks the Windows Registry to determine if DarkWatchman has already been installed. Then the user is shown a message that informs him that “Unknown Format” while installing the payloads in the background.

DarkWatchman uses the Windows Registry fileless storage mechanism for the keylogger, It creates a scheduled task is to use WScript to execute the malware at every user log on. 

When the RAT is launched, it executes a PowerShell script which, in turn, compiles the keylogger (using CSC) and executes it.

“The keylogger itself does not communicate with the C2 or write to disk. Instead, it writes it’s keylog to a registry key that it uses as a buffer. During its operation, the RAT scrapes and clears this buffer before transmitting the logged keystrokes to the C2 server.” continues the analysis.

Once launched, DarkWatchmen will execute a PowerShell script that compiles the keylogger using the .NET CSC.exe command and launches it into memory.

“The keylogger itself does not communicate with the C2 or write to disk. Instead, it writes it’s keylog to a registry key that it uses as a buffer. During its operation, the RAT scrapes and clears this buffer before transmitting the logged keystrokes to the C2 server.” states the report.

The malware also stores data to exfiltrate to the registry until it’s transferred to the C2.

DarkWatchman supports the following functionalities:

  • Execute EXE files (with or without the output returned)
  • Load DLL files
  • Execute commands on the command line
  • Execute WSH commands
  • Execute miscellaneous commands via WMI
  • Execute PowerShell commands
  • Evaluate JavaScript
  • Upload files to the C2 server from the victim machine
  • Remotely stop and uninstall the RAT and Keylogger
  • Remotely update the C2 server address or call-home timeout

According to the researcher, DarkWatchman was likely developed to support the operations of RaaS affiliates. 

“One interesting hypothesis is that the ransomware operators could provide something like DarkWatchman to their less technologically capable affiliates, and once the affiliate gains a foothold in the system, it automatically communicates back to domains the operator controls. This would eliminate the need to have the affiliate deploy the ransomware or handle file exfiltration, and would move the ransomware operator from a negotiator role to actively controlling the infection.” concludes the report. “The capabilities and functionality of both the JavaScript and C# elements of DarkWatchman indicate a capable threat actor.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Nation-state actors are exploiting Zoho zero-day CVE-2021-44515 since October, FBI warns

 The FBI warns that zero-day flaw in Zoho's ManageEngine Desktop Central has been under active exploitation by nation-state...