To avoid detection and analysis, a novel JavaScript-based remote access Trojan (RAT) spread via a social engineering campaign has been spotted using stealthy “fileless” approaches as part of its detection-evasion strategies.
The malware, dubbed DarkWatchman by Prevailion’s Adversarial Counterintelligence Team (PACT), employs a robust domain generation algorithm (DGA) to identify its command-and-control (C2) infrastructure and stores all of its data in the Windows Registry, allowing it to avoid antimalware engines.
The RAT “utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation,” researchers Matt Stafford and Sherman Smith said, adding it “represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools.”
Prevailion claimed one of the targeted victims was an undisclosed enterprise-sized firm in Russia, with several malware artifacts discovered beginning November 12, 2021. DarkWatchman might be early access and reconnaissance tool for ransomware gangs, according to the PACT team, because of its backdoor and persistence features.
This unique invention has the fascinating side effect of eliminating the need for ransomware operators to hire affiliates, who are usually in charge of releasing the file-locking software and handling the file exfiltration. Using DarkWatchman as a prologue to ransomware deployments also gives the ransomware’s core creators more control over the operation than just negotiating ransoms.
DarkWatchman is a stealthy conduit for additional malicious activity sent via spear-phishing emails posing as “Free storage expiration notification” for a cargo delivered by Russian transportation firm Pony Express. The emails include a fictitious invoice in a ZIP package, which consists of the payload required to infect a Windows PC.
The new RAT is a fileless JavaScript RAT and C#-based keylogger kept in the registry to prevent detection. In addition, both components are incredibly light. The malicious JavaScript code is only 32kb in size, whereas the keylogger is only 8.5kb.
DarkWatchman can run arbitrary programs, load DLL files, perform JavaScript code and PowerShell commands, upload files to a remote server, update itself, and even remove the RAT and keylogger from a compromised system once it’s been installed. The JavaScript routine also establishes persistence by setting a scheduled job that launches the virus every time a user logs in.
DarkWatchman has yet to be linked to a hacking group. Still, Prevailion described the crew as a “capable threat actor,” noting the malware’s exclusive targeting of Russian victims as well as the source code samples’ typographical errors and misspellings, raising the possibility that the operators are not native English speakers.
