‘DarkWatchman’ RAT Shows Evolution in Fileless Malware

silversurfer

Level 83
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,295
A novel remote access trojan (RAT) being distributed via a Russian-language spear-phishing campaign is using unique manipulation of Windows Registry to evade most security detections, demonstrating a significant evolution in fileless malware techniques.

Dubbed DarkWatchman, the RAT – discovered by researchers at Prevailion’s Adversarial Counterintelligence Team (PACT) – uses the registry on Windows systems for nearly all temporary storage on a machine and thus never writes anything to disk. This allows it “to operate beneath or around the detection threshold of most security tools,” PACT researchers Matt Stafford and Sherman Smith wrote in a report published late Tuesday.

In addition to its fileless persistence, DarkWatchman also uses a “robust” Domain Generation Algorithm (DGA) to identify its command-and-control (C&C) infrastructure and includes dynamic run-time capabilities like self-updating and recompilation, researchers observed.
 

cruelsister

Level 39
Verified
Helper
Top poster
Content Creator
Well-known
Apr 13, 2013
2,832
A fun bit of malware., and curious how certain anti-malware products react to it. In order for the malicious process to begin a SFX self installing archive will be run to unpack all of the nasty goodies inside, and it seems like the majority of current detection by AV products is based on this, as although the full package is widely detected, the actual js RAT has a far less detection rate. Note that DarkWatchman at the most basic level does 3 things: it will drop the js RAT (mine connects out to Bulgaria) into AppData/Local, add a scheduled task (run on system startup), and add the registry entries fro the keylogger functionality.

As I had one of the original samples. for giggles I wondered how various 2nd opinion scanners would react to the malware on an infected machine. To that end I ran the malware on an unprotected Win10 system and scanned with the usual suspects (MB, HMP, EEK, F-secure, NPE, KVRT, and ESET). Of these only KVRT was able to detect both the js RAT and the scheduled task, deleting both. EEK, NPE, and ESET detected the RAT but not the Scheduled Task (no biggie as all that occurs is an error message on reboot), and MD, F-secure and HMP didn't detect anything. Needless to say the registry entry was ignored by all.

For any CF fans out there, CF will detect and delete the original package via cloud definitions, will prevent the SFX unpacking via Containment if the Cloud functionality is disabled, and will contain the js RAT on reboot if one allows the initial infection to proceed.

All in all, a fun time.
 
Last edited: