21 December 2021

NO STOPPING HACKING GONE WILD...More 'Threat Actors' emerge from The Cyber Sphere

Looks like that is a SIGN OF OUR TIME

New stealthy DarkWatchman malware hides in the Windows Registry

A new malware named 'DarkWatchman' has emerged in the cybercrime underground, and it's a lightweight and highly-capable JavaScript RAT (Remote Access Trojan) paired with a C# keylogger.

According to a technical report by researchers at Prevailion, the novel RAT is employed by Russian-speaking actors who target mainly Russian organizations.

The first signs of DarkWatchman's existence appeared in early November as the threat actor began distributing the malware through phishing emails with malicious ZIP attachments.

Sample of phishing email used in DarkWatchman distribution

These ZIP file attachments contain an executable using an icon to impersonate a text document. This executable is a self-installing WinRAR archive that will install the RAT and keylogger.

If opened, the user is shown a decoy popup message that reads "Unknown Format," but in reality, the payloads have been installed in the background.

A stealthy 'file-less' RAT

DarkWatchman is a very light malware, with the JavaScript RAT measuring just 32kb in size and the compiled only taking using 8.5kb of space.

It utilizes a large set of "living off the land" binaries, scripts, and libraries, and incorporates stealthy methods to transfer data between modules.

The fascinating aspect of DarkWatchman is its use of the Windows Registry fileless storage mechanism for the keylogger. 

Instead of storing the keylogger on disk, a scheduled task is created to launch the DarkWatchman RAT every time the user logs into Windows.

Once launched, DarkWatchmen will execute a PowerShell script that compiles the keylogger using the .NET CSC.exe command and launches it into memory . . .

[...] DarkWatchman’s functional capabilities are the following:

  • Execute EXE files (with or without the output returned)
  • Load DLL files
  • Execute commands on the command line
  • Execute WSH commands
  • Execute miscellaneous commands via WMI
  • Execute PowerShell commands
  • Evaluate JavaScript
  • Upload files to the C2 server from the victim machine
  • Remotely stop and uninstall the RAT and Keylogger
  • Remotely update the C2 server address or call-home timeout
  • Update the RAT and Keylogger remotely
  • Set an autostart JavaScript to run on RAT startup
  • A Domain Generation Algorithm (DGA) for C2 resiliency
  • If the user has admin permissions, it deletes shadow copies using vssadmin.exe

The ransomware hypothesis

Prevailion theorizes that DarkWatchman may be tailored by/for ransomware groups that need to empower their less capable affiliates with a potent and stealthy tool.

The malware can load additional payloads remotely, so it could be used as a stealthy first-stage infection for subsequent ransomware deployment.

Since DarkWatchman can communicate to actor-controlled domains after the initial foothold, the ransomware operator could take over and deploy the ransomware or handle the file exfiltration directly.

This approach would degrade the affiliate's role to that of a network infiltrator and simultaneously make RaaS operations more clinical and efficient.

Related Articles:

Emotet starts dropping Cobalt Strike again for faster attacks

Microsoft: These are the building blocks of QBot malware attacks

Emotet now drops Cobalt Strike, fast forwards ransomware attacks

Hackers target biomanufacturing with stealthy Tardigrade malware

 

Latest Articles

No comments: