‘DarkWatchman’ RAT Shows Evolution in Fileless Malware

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,005
A novel remote access trojan (RAT) being distributed via a Russian-language spear-phishing campaign is using unique manipulation of Windows Registry to evade most security detections, demonstrating a significant evolution in fileless malware techniques.

Dubbed DarkWatchman, the RAT – discovered by researchers at Prevailion’s Adversarial Counterintelligence Team (PACT) – uses the registry on Windows systems for nearly all temporary storage on a machine and thus never writes anything to disk. This allows it “to operate beneath or around the detection threshold of most security tools,” PACT researchers Matt Stafford and Sherman Smith wrote in a report published late Tuesday.

In addition to its fileless persistence, DarkWatchman also uses a “robust” Domain Generation Algorithm (DGA) to identify its command-and-control (C&C) infrastructure and includes dynamic run-time capabilities like self-updating and recompilation, researchers observed.
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,132
A fun bit of malware., and curious how certain anti-malware products react to it. In order for the malicious process to begin a SFX self installing archive will be run to unpack all of the nasty goodies inside, and it seems like the majority of current detection by AV products is based on this, as although the full package is widely detected, the actual js RAT has a far less detection rate. Note that DarkWatchman at the most basic level does 3 things: it will drop the js RAT (mine connects out to Bulgaria) into AppData/Local, add a scheduled task (run on system startup), and add the registry entries fro the keylogger functionality.

As I had one of the original samples. for giggles I wondered how various 2nd opinion scanners would react to the malware on an infected machine. To that end I ran the malware on an unprotected Win10 system and scanned with the usual suspects (MB, HMP, EEK, F-secure, NPE, KVRT, and ESET). Of these only KVRT was able to detect both the js RAT and the scheduled task, deleting both. EEK, NPE, and ESET detected the RAT but not the Scheduled Task (no biggie as all that occurs is an error message on reboot), and MD, F-secure and HMP didn't detect anything. Needless to say the registry entry was ignored by all.

For any CF fans out there, CF will detect and delete the original package via cloud definitions, will prevent the SFX unpacking via Containment if the Cloud functionality is disabled, and will contain the js RAT on reboot if one allows the initial infection to proceed.

All in all, a fun time.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top