Select Page

A new JavaScript-based remote access Trojan (RAT) propagated via a social engineering campaign has been observed employing sneaky “fileless” techniques as part of its detection-evasion methods to elude discovery and analysis.

Dubbed DarkWatchman by researchers from Prevailion’s Adversarial Counterintelligence Team (PACT), the malware uses a resilient domain generation algorithm (DGA) to identify its command-and-control (C2) infrastructure and utilizes the Windows Registry for all of its storage operations, thereby enabling it to bypass antimalware engines.

The RAT “utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation,” researchers Matt Stafford and Sherman Smith said, adding it “represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools.”

Prevailion said that an unnamed enterprise-sized organization in Russia was one among the targeted victims, with a number of malware artifacts identified starting November 12, 2021. Given its backdoor and persistence features, the PACT team assessed that DarkWatchman could be an initial access and reconnaissance tool for use by ransomware groups.

An interesting consequence of this novel development is that it completely obviates the need for ransomware operators to recruit affiliates, who are typically in charge of dropping the file-locking malware and handling the file exfiltration. Using DarkWatchman as a prelude for ransomware deployments also equips the core developers of the ransomware with better oversight over the operation beyond negotiating ransoms.

images from Hacker News