A novel remote access trojan (RAT) being distributed via a Russian-language spear-phishing campaign is using unique manipulation of Windows Registry to evade most security detections, demonstrating a significant evolution in fileless malware techniques.
Dubbed DarkWatchman, the RAT – discovered by researchers at Prevailion’s Adversarial Counterintelligence Team (PACT) – uses the registry on Windows systems for nearly all temporary storage on a machine and thus never writes anything to disk. This allows it “to operate beneath or around the detection threshold of most security tools,” PACT researchers Matt Stafford and Sherman Smith wrote in a report published late Tuesday.
In addition to its fileless persistence, DarkWatchman also uses a “robust” Domain Generation Algorithm (DGA) to identify its command-and-control (C&C) infrastructure and includes dynamic run-time capabilities like self-updating and recompilation, researchers observed.
PACT’s first hint of the RAT’s activity came in November via a TLS certificate on the abuse.ch SSLBL for the domain name “bfdb1290[.]top.” Researchers found a malicious sample of the RAT linked to the blacklisted certificate via VirusTotal, leading to the discovery of another associated domain hosted on a Bulgarian IP address associated with Bulgarian ISP Belcloud LTD’s network.
The PACT team constructed a timeline of activity and eventually identified DarkWatchman being distributed through a spear-phishing campaign using Russian-language emails with the subject line “Free storage expiration notification.” They appeared to come from a sender from the URL “ponyexpress[.]ru.”
“The body of the email … contained additional lure material that one would likely anticipate after reading the subject,” researchers wrote. “Notably, it referenced the (malicious) attachment, an expiration of free storage, and claimed to be from Pony Express (thus further reinforcing the spoofed sender address).”
Sophisticated Windows Registry Manipulation
The design of DarkWatchman demonstrates that its creators know their way around Windows Registry, researchers observed. The RAT uses the registry in a “particularly novel” way – “to communicate between abstracted threads of operation, and as both persistent and temporary storage,” they wrote.
“It would appear that the authors of DarkWatchman identified and took advantage of the complexity and opacity of the Windows Registry to work underneath or around the detection threshold of security tools and analysts alike,” researchers wrote. “Registry changes are commonplace, and it can be difficult to identify which changes are anomalous or outside the scope of normal OS and software functions.”
DarkWatchman also uses the registry for both a temporary storage buffer for information that has yet to be sent to command-and-control (C2), as well as a storage location for the encoded executable code prior to runtime. These features “indicate a robust understanding of software development and the Windows Operating System itself,” researchers wrote.
“The storage of the binary in the registry as encoded text means that DarkWatchman is persistent yet its executable is never (permanently) written to disk; it also means that DarkWatchman’s operators can update (or replace) the malware every time it’s executed,” they observed.
Tool of Ransomware Actors?
Due to certain aspects of its functionality, researchers believe that DarkWatchman is being used by ransomware actors and their affiliates “as a first stage initial payload for ransomware deployment,” they wrote.
These aspects include its attempt to delete shadow copies on installation, its search for enterprise targets – for example, smart-card readers – and its ability to remotely load additional payloads, they explained.
Moreover, the RAT’s introduction of a DGA-determined C2 structure provides resiliency and randomness to its communications that suggests ransomware operators are using it to support affiliate activities, they said.
“One interesting hypothesis is that the ransomware operators could provide something like DarkWatchman to their less technologically capable affiliates, and once the affiliate gains a foothold in the system, it automatically communicates back to domains the operator controls,” researchers wrote.
This type of activity would eliminate the need for affiliates to deploy the ransomware or handle file exfiltration, and moving the ransomware operator from a negotiator role to the one at the helm of actively controlling the infection, they said.
Overall, it’s clear that DarkWatchman’s feature set shows the work of a sophisticated threat actor and represents a key step forward in how attackers can gain initial entry and then achieve a stealthy persistent presence on Windows systems to exfiltrate data and perform other nefarious activities, researchers wrote.
“DarkWatchman is significant as it represents an evolution in fileless malware techniques – among other novel features – which make it particularly concerning,” they said.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
