The malware, dubbed DarkWatchman by Prevailion’s Adversarial Counterintelligence Team (PACT), employs a robust domain generation algorithm (DGA) to identify its command-and-control (C2) infrastructure and stores all of its data in the Windows Registry, allowing it to avoid antimalware engines.
The RAT “utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation,” researchers Matt Stafford and Sherman Smith said, adding it “represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools.”
Prevailion claimed one of the targeted victims was an undisclosed enterprise-sized firm in Russia, with several malware artifacts discovered beginning November 12, 2021. DarkWatchman might be early access and reconnaissance tool for ransomware gangs, according to the PACT team, because of its backdoor and persistence features.
This unique invention has the fascinating side effect of eliminating the need for ransomware operators to hire affiliates, who are usually in charge of releasing the file-locking software and handling the file exfiltration. Using DarkWatchman as a prologue to ransomware deployments also gives the ransomware’s core creators more control over the operation than just negotiating ransoms.
DarkWatchman is a stealthy conduit for additional malicious activity sent via spear-phishing emails posing as “Free storage expiration notification” for a cargo delivered by Russian transportation firm Pony Express. The emails include a fictitious invoice in a ZIP package, which consists of the payload required to infect a Windows PC.
DarkWatchman has yet to be linked to a hacking group. Still, Prevailion described the crew as a “capable threat actor,” noting the malware’s exclusive targeting of Russian victims as well as the source code samples’ typographical errors and misspellings, raising the possibility that the operators are not native English speakers.