Cybersecurity researchers from Prevailion Adversarial Counterintelligence Team (PACT), have unearthed a new fileless malware dubbed DarkWatchman propagated via a social engineering campaign.
The RAT is designed to completely bypass detection and analysis; thereby could easily be employed in ransomware operations. DarkWatchman uses a complex domain generation algorithm (DGA) to identify its command-and-control (C2) infrastructure and exploit the Windows Registry storage operations.
The malware "utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation," researchers Matt Stafford and Sherman Smith stated.
“It represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools."
According to the researchers, the RAT began its operations in November and exploited multiple known TLS certificates. Given its backdoor and persistence features, the researchers believe that DarkWatchman could be an 'initial access and reconnaissance tool' used by ransomware groups.
Typically, ransomware operators need other attackers for managing the persistence and wide distribution of their programs. The use of fileless malware with such detection evading techniques helps the developers of the ransomware with better oversight over the operation beyond negotiating ransoms.
The novel RAT is both a fileless JavaScript RAT and a C#-based keylogger, the latter of which is stored in the registry to avoid detection. Both the components are also extremely lightweight. The malicious JavaScript code just takes about 32kb, while the keylogger barely registers at 8.5kb.
"The storage of the binary in the registry as encoded text means that DarkWatchman is persistent yet its executable is never (permanently) written to disk; it also means that DarkWatchman's operators can update (or replace) the malware every time it's executed," the researchers said.
Once installed, the malware can execute arbitrary binaries, load DLL files, run JavaScript code, and PowerShell commands, upload files to a remote server, update itself, and even uninstall the RAT and keylogger from the exploited device. The JavaScript routine is also responsible for establishing persistence by creating a scheduled task that runs the malware at every user log on.
"It would appear that the authors of DarkWatchman identified and took advantage of the complexity and opacity of the Windows Registry to work underneath or around the detection threshold of security tools and analysts alike," the researchers concluded. "Registry changes are commonplace, and it can be difficult to identify which changes are anomalous or outside the scope of normal OS and software functions."
