New fileless malware uses Windows registry for storage to evade detection


A new JavaScript-based Remote Access (RAT) Trojan propagated via a social engineering campaign has been observed using underhand “fileless” techniques as part of its detection and evasion methods to evade to discovery and analysis.

Double Darkwatchman By researchers from Prevailion’s Adversarial Counterintelligence Team (PACT), the malware uses a resilient domain generation algorithm (DGA) to identify its command and control (C2) infrastructure and uses the Windows registry for all of its storage operations, allowing it to bypass anti-malware engines.

The RAT “utilizes new methods for fileless persistence, system activity, and dynamic runtime capabilities such as self-update and recompilation,” researchers Matt Stafford and Sherman Smith noted, adding that it “represents an evolution of fileless malware techniques, as it uses the registry for almost all temporary and permanent storage and therefore never writes anything to disk, allowing it to run underneath or around the detection threshold of most security tools “.

GitHub automatic backups

Prevailion said an anonymous business-sized organization in Russia was one of the targeted victims, with a number of malicious artifacts identified from November 12, 2021. Given its backdoor and persistence functionality, the The PACT team assessed that DarkWatchman could be an initial access and recognition tool for use by ransomware groups.

An interesting consequence of this new development is that it completely eliminates the need for ransomware operators to recruit affiliates, who are typically responsible for removing file locking malware and handling file exfiltration. Using DarkWatchman as a prelude to ransomware deployments also offers major ransomware developers better oversight of the operation beyond negotiating ransoms.

Distributed via spear-phishing emails that masquerade as a “free storage expiration notification” for a shipment delivered by Russian shipping company Pony Express, DarkWatchman provides a stealth gateway for other malicious activity. The emails come with an alleged invoice in the form of a ZIP archive which in turn contains the payload needed to infect the Windows system.

The new RAT is both a fileless JavaScript RAT and a C # based keylogger, the latter of which is stored in the registry to prevent detection. Both components are also extremely light. The malicious JavaScript code only takes about 32KB, while the keylogger barely registers at 8.5KB.

“Storing the binary in the registry as encoded text means that DarkWatchman is persistent but its executable is never (permanently) written to disk; it also means that DarkWatchman operators can update (or replace) malware every time it is executed, ”the researchers said.

Prevent data breaches

Once installed, DarkWatchman can run arbitrary binaries, load DLL files, run JavaScript code and PowerShell commands, upload files to a remote server, update itself, and even uninstall the RAT and keylogger from the compromised machine. The JavaScript routine is also responsible for establishing persistence by creating a scheduled task that runs the malware every time the user logs in.

“The keylogger itself does not communicate with the C2 or write to disk,” the researchers said. “Instead, it writes its keylog to a registry key that it uses as a buffer. While running, the RAT scratches and clears this buffer before transmitting the recorded keystrokes to the C2 server.”

DarkWatchman has yet to be assigned to a hacking group, but Prevailion has called the team a “capable threat actor”, pointing to the malware’s exclusive targeting of victims located in Russia and the typographical errors and misconduct. spellings that were identified in the source code samples. , raising the possibility that the operators are not English speaking.

“It appears that the authors of DarkWatchman have identified and taken advantage of the complexity and opacity of the Windows registry to work below or around the detection threshold of security tools and analysts,” the researchers concluded. “Registry changes are common, and it can be difficult to identify changes that are abnormal or outside of normal operating system and software functions. “


Comments are closed.