Dubbed DarkWatchman by researchers from Prevailion’s Opponent Counterintelligence Team (PACT), software maliciously uses a dynamic domain generation algorithm (DGA) to determine its command and control (C2) infrastructure and uses the Windows Registry for all its hosting operations, thus allowing it to bypass anti-tools software toxic.
Researchers Matt Stafford and Sherman Smith say RAT “uses new methods for filter-free persistence, system operations, and dynamic runtime capabilities such as self-updates and recompilations ”, as it uses the registry for nearly all temporary and permanent storage and thus never writes anything to disk, allowing it to work below or around the detection threshold of most security tools. “
Prevailion says that an unnamed business-scale organization in Russia was among the targeted victims, with several malware identified starting November 12, 2021. Given its backdoor features and persistence, the PACT team assesses that DarkWatchman can be an initial access and reconnaissance tool for use by other actors. ransomware group.
An interesting consequence of this novel development is that it does not need ransomware operators to recruit affiliates at all, who are normally responsible for removing file-locking malware and handling file intrusions. . Using DarkWatchman as a prelude to ransomware deployments also equips ransomware core developers with better monitoring for activity beyond ransom negotiation.
Spread through phishing emails masquerading as “Free Storage Expiration Notice” for a shipment delivered by Russian shipping company Pony Express, DarkWatchman provides a sneaky gateway for other malicious activities. . The emails are attached to an invoice purportedly in the form of a ZIP archive that, in turn, contains the payload needed to infect the Windows system.
“Storing the binary in the registry as encrypted text means that DarkWatchman is persistent, but its executable is never (permanently) written to disk; it also means that DarkWatchman operators can update (or replace) the malware each time it is executed,” the researchers said.
The keylogger itself does not communicate with C2 or write to disk, the researchers said. “Instead, it writes its keylog to a registry key that it uses as a cache. During operation, the RAT will scan and clear this buffer before transmitting the recorded keystrokes to the C2 server.”
DarkWatchman has yet to be attributed to a hacking group, but Prevailion has described the crew as a “potential threat actor,” along with pointing out that the malware’s exclusive target is victims in Russia as well as in Russia. as typographical errors and typos are identified in the source code samples, increasing the possibility that moderators may not be native English speakers.
It appears that the authors of DarkWatchman identified and took advantage of the complexity and opacity of the Windows Registry to operate below or around the detection thresholds of security tools and other devices. analyst”. “Registry changes are common, and it can be difficult to determine which changes are unusual or beyond the scope of normal operating system and software functions.”