The cutting-edge, evasive malware employs a fileless payload propagated via the spear-phishing attack vector. Attacks are being orchestrated with the help of socially engineered campaigns. The RAT is designed to completely evade detection and analysis and can be used in potential ransomware operations.

Advanced Fileless Malware is Here

Researchers from PACT (Prevailion Adversarial Counterintelligence Team) have published an extensive in-depth report entitled “DarkWatchman: A new evolution in fileless techniques.” Threatpost added that the novel RAT “manipulates Windows Registry in unique ways” and that it is “likely being used by ransomware groups for initial network access.” The Hacker News exclaimed that this is a “new JavaScript-based remote access Trojan (RAT) propagated via a social engineering campaign.”

The DarkWatchman RAT

The DarkWatchman RAT malware leverages JavaScript and has been confirmed to be a trojan RAT. DarkWatchman utilizes a complex DGA (Domain Generation Algorithm) to identify C2 while offloading storage under the hood of Windows, the Windows Registry. This technique allows the DarkWatchman to be practically invisible and undetectable by traditional anti-malware suites. The RAT can “self-update” and “recompile” itself by utilizing “novel methods for fileless persistence,” said security researchers Matt Stafford and Sherman Smith, courtesy of The Hacker News. The DarkWatchman is an “evolution in fileless malware techniques,” because of how it uses the Windows Registry “and never writes anything to disk,” added the researchers. This way, DarkWatchman can operate “beneath or around the detection threshold of most security tools.” A trace of “artifacts” sourced to DarkWatchman was identified as early as November 12th, 2021. The malicious software tool has also since targeted “an unnamed enterprise-sized organization in Russia.” The team at PACT thinks that is highly plausible that DarkWatchman could be utilized by ransomware groups.

Who is Behind DarkWatchman?

According to the Prevaillion report, “[The] capabilities and functionality of both the JavaScript and C# elements of DarkWatchman indicate a capable threat actor.” The “lure” documents in the spoofed emails are in Russian, and the mail servers used to propagate the RAT “are parked at a Russian internet services company.” Security researchers at PACT have reverse engineered DarkWatchman’s DGA algorithm and “dynamically analyzed the malware.” The team has also investigated the “web-based infrastructure.” Initially, security researchers caught the RAT “via a TLS certificate on the abuse.ch SSLBL for the domain name bfdb1290[.]top.” After tracing the IP of the domain, PACT found that it belonged to “ALEXHOST S.R.L” in the country Moldova. Following that, PACT researchers caught a sample of the RAT, which was associated with a domain with a Bulgarian IP address pointing to Belcloud LTD, a Bulgarian Cloud Infrastructure Services and Development company. Further analysis showed that the RAT was being distributed via spoofed Russian-language emails containing the subject line “Free storage expiration notification.” The emails pointed to a Pony Express URL: pony express.ru.

Novel Tool For Ransomware Groups or Affiliates

The PACT analysis report stated that the PACT security team “assesses with moderate confidence that this is an initial access tool for use by ransomware groups or affiliates.” Strong indications that this tool is designed for ransomware are that DarkWatchman can delete shadow copies upon installation, and appears to explicitly search for SmartCard Readers which indicates that enterprise may be the target. The RAT can also “remotely load additional payloads.” Such patterns indicate that the RAT is designed for “first stage initial payload” applications in ransomware deployment. Another sophisticated feature of DarkWatchman is, according to the PACT report, that “ransomware operators could provide something like DarkWatchman to their less technologically capable affiliates” because all the less capable affiliate would need to do is deliver the payload to the target. The “ransomware operator” can “actively” take over from that point because it “automatically communicates” with operator-control domains. What makes DarkWatchman so special is the way it leverages the Windows Registry, the “robust” DGA, how persistent it is, and how it can self-compile by making use of “LOLbins.” This arsenal of features “represents an important step in the evolution of threat actor TTPs on Windows systems.”

Sophisticated RAT Dubbed DarkWatchman Discovered by PACT - 12Sophisticated RAT Dubbed DarkWatchman Discovered by PACT - 83Sophisticated RAT Dubbed DarkWatchman Discovered by PACT - 87Sophisticated RAT Dubbed DarkWatchman Discovered by PACT - 48