DarkWatchman – A new evolution in fileless techniques

PACT chose to base the investigation partially on the timestamps of VirusTotal submissions of the samples and relationships to the observed web infrastructure.
Timeline analysis did indeed prove to be valuable, as full email messages were identified that included intact headers that allowed PACT analysts to identify a spoofed sender, what is likely the true sender, the intended recipient, the attachment that was identified as the ZIP file containing the malicious logic that functions as a dropper for the RAT, and Russian-language subject and body of the email.

Taken together, these observations indicate it is likely that this email is a targeted lure used to spearphish the recipient.

The email’s subject was “Free storage expiration notification” and was designed to appear as if it came from “ponyexpress[.]ru”
The body of the email, machine translated from the original Russian and included in full later in this report, contained additional lure material that one would likely anticipate after reading the subject.

DarkWatchman is a ‘fileless’ JavaScript RAT paired with a C# keylogger. Both parts of the malware are lightweight, with the JavaScript coming in at just under 32kb and the compiled keylogger only taking up 8.5kb total. It contains several advanced, and notable, features that set it apart from most commodity malware.
DarkWatchman heavily utilizes LOLbins and some novel methods of data transfer between modules to avoid detection. Various parts of DarkWatchman, including configuration strings and the keylogger itself, are stored in the registry to avoid writing to disk.
The initial sample that PACT analyzed appears to be targeting a Russian-speaking person or organization, but the script itself is written with English variable and function names. Based on some of the features, PACT assesses with moderate confidence that this is an initial access tool for use by ransomware groups or affiliates.

PACT acquired the initial DarkWatchman sample from a Virustotal API upload of an email message. The message was written in Russian and purported to be PonyExpress with an attached invoice. The email headers revealed that it was spoofed and sent from rentbikespb[.]ru.
Scans from Shodan and other sources indicate that this domain was updated to point at a server instance hosted at OpenStack running Postfix and changed back to the original IP shortly after the email was sent.

The email indicates that the target has a package that is being held for them and will exceed the free storage period soon, and instructs them to see the attached scanned copy of the “consignment note”
This letter is to inform you that on November 16, 2021, the free storage period for consignment note #12-6317-3621 is about to expire. Since the recipient’s phone number indicated in the shipment is not available, please contact us at +7-495-937-77-77 (multichannel).
Please note that in case the item cannot be delivered and the receiver can not be reached by November 16, 2021 the item will be returned to the sender. A scanned copy of the consignment note completed by the sender is attached to this letter.
Respectfully, Michael, PONY EXPRESS Account Manager, +7-495-937-77-77 ext. 308.

The email attachment is a zip archive named ‘Накладная №12-6317-3621.zip’ (translated: Invoice #12-6317-3621) which contains an executable with the same name.
The executable’s icon is set to appear to be a basic text document.
This executable is a WinRAR SFX self installing archive that contains two files: ‘134121811.js’ (the JavaScript RAT) and ‘2204722946’ (the C# source code for the keylogger).
The WinRAR SFX configuration file contains comments in Russian and instructions to drop both files in %TEMP% before executing the .JS file with the name of the WinRAR SFX executable as a command line argument.
Upon initial execution, the Windows Registry is checked to determine if DarkWatchman has already been installed.
The malware stores its configuration in ‘\HKCUSoftwareMicrosoftWindowsDWM’, using registry keys that consist of a uid generated from the serial number of the C: drive and appended with a single digit or character.
Installation is denoted by uid + 0 (eg: abc1230) – if the malware does not find a ‘1’ flag in this key, it runs its install function.
The install function proceeds to delete the WinRAR SFX executable using the filename passed to it during execution.
It also moves the JS file to ‘Shell.NameSpace(28)’ (‘ssfLOCALAPPDATA’ – ‘AppDataLocal’) and creates a scheduled task to use WScript to execute the file at every user log on.
The installation routine then copies the keylogger to the registry, sets the uid + 0 flag to 1 to indicate that installation was completed, and executes the scheduled task it created.
The last step is a popup that informs the user “Unknown Format”, giving the indication that the file is unreadable by the system to deflect from the ‘scanned document’ not opening.
When DarkWatchman is run and detects the presence of the “installed” flag, it begins regular operation.

DarkWatchman is capable of most basic RAT functionality:

Execute EXE files (with or without the output returned)
Load DLL files
Execute commands on the command line
Execute WSH commands
Execute miscellaneous commands via WMI
Execute PowerShell commands
Evaluate JavaScript
Upload files to the C2 server from the victim machine
Remotely stop and uninstall the RAT and Keylogger
Remotely update the C2 server address or call-home timeout

As well as some notable functionality:

Update the RAT and Keylogger remotely
Set an autostart JavaScript to run on RAT startup
A Domain Generation Algorithm (DGA) for C2 resiliency
If the user has admin permissions, it deletes shadow copies using vssadmin.exe