DarkWatchman – A new evolution in fileless techniques

PACT chose to base the investigation partially on the timestamps of VirusTotal submissions of the samples and relationships to the observed web infrastructure.
Timeline analysis did indeed prove to be valuable, as full email messages were identified that included intact headers that allowed PACT analysts to identify a spoofed sender, what is likely the true sender, the intended recipient, the attachment that was identified as the ZIP file containing the malicious logic that functions as a dropper for the RAT, and Russian-language subject and body of the email.

Taken together, these observations indicate it is likely that this email is a targeted lure used to spearphish the recipient.

The email’s subject was “Free storage expiration notification” and was designed to appear as if it came from “ponyexpress[.]ru”
The body of the email, machine translated from the original Russian and included in full later in this report, contained additional lure material that one would likely anticipate after reading the subject.

DarkWatchman is a ‘fileless’ JavaScript RAT paired with a C# keylogger. Both parts of the malware are lightweight, with the JavaScript coming in at just under 32kb and the compiled keylogger only taking up 8.5kb total. It contains several advanced, and notable, features that set it apart from most commodity malware.
DarkWatchman heavily utilizes LOLbins and some novel methods of data transfer between modules to avoid detection. Various parts of DarkWatchman, including configuration strings and the keylogger itself, are stored in the registry to avoid writing to disk.
The initial sample that PACT analyzed appears to be targeting a Russian-speaking person or organization, but the script itself is written with English variable and function names. Based on some of the features, PACT assesses with moderate confidence that this is an initial access tool for use by ransomware groups or affiliates.

PACT acquired the initial DarkWatchman sample from a Virustotal API upload of an email message. The message was written in Russian and purported to be PonyExpress with an attached invoice. The email headers revealed that it was spoofed and sent from rentbikespb[.]ru.
Scans from Shodan and other sources indicate that this domain was updated to point at a server instance hosted at OpenStack running Postfix and changed back to the original IP shortly after the email was sent.

The email indicates that the target has a package that is being held for them and will exceed the free storage period soon, and instructs them to see the attached scanned copy of the “consignment note”
This letter is to inform you that on November 16, 2021, the free storage period for consignment note #12-6317-3621 is about to expire. Since the recipient’s phone number indicated in the shipment is not available, please contact us at +7-495-937-77-77 (multichannel).
Please note that in case the item cannot be delivered and the receiver can not be reached by November 16, 2021 the item will be returned to the sender. A scanned copy of the consignment note completed by the sender is attached to this letter.
Respectfully, Michael, PONY EXPRESS Account Manager, +7-495-937-77-77 ext. 308.

The email attachment is a zip archive named ‘Накладная №12-6317-3621.zip’ (translated: Invoice #12-6317-3621) which contains an executable with the same name.
The executable’s icon is set to appear to be a basic text document.
This executable is a WinRAR SFX self installing archive that contains two files: ‘134121811.js’ (the JavaScript RAT) and ‘2204722946’ (the C# source code for the keylogger).
The WinRAR SFX configuration file contains comments in Russian and instructions to drop both files in %TEMP% before executing the .JS file with the name of the WinRAR SFX executable as a command line argument.
Upon initial execution, the Windows Registry is checked to determine if DarkWatchman has already been installed.
The malware stores its configuration in ‘\HKCUSoftwareMicrosoftWindowsDWM’, using registry keys that consist of a uid generated from the serial number of the C: drive and appended with a single digit or character.
Installation is denoted by uid + 0 (eg: abc1230) – if the malware does not find a ‘1’ flag in this key, it runs its install function.
The install function proceeds to delete the WinRAR SFX executable using the filename passed to it during execution.
It also moves the JS file to ‘Shell.NameSpace(28)’ (‘ssfLOCALAPPDATA’ – ‘AppDataLocal’) and creates a scheduled task to use WScript to execute the file at every user log on.
The installation routine then copies the keylogger to the registry, sets the uid + 0 flag to 1 to indicate that installation was completed, and executes the scheduled task it created.
The last step is a popup that informs the user “Unknown Format”, giving the indication that the file is unreadable by the system to deflect from the ‘scanned document’ not opening.
When DarkWatchman is run and detects the presence of the “installed” flag, it begins regular operation.

DarkWatchman is capable of most basic RAT functionality:

Execute EXE files (with or without the output returned)
Load DLL files
Execute commands on the command line
Execute WSH commands
Execute miscellaneous commands via WMI
Execute PowerShell commands
Evaluate JavaScript
Upload files to the C2 server from the victim machine
Remotely stop and uninstall the RAT and Keylogger
Remotely update the C2 server address or call-home timeout

As well as some notable functionality:

Update the RAT and Keylogger remotely
Set an autostart JavaScript to run on RAT startup
A Domain Generation Algorithm (DGA) for C2 resiliency
If the user has admin permissions, it deletes shadow copies using vssadmin.exe

Sign Up For Threat Alerts

Loading...
Threats Icon

Jul 04, 2023

Rhysida Ransomware RaaS Crawls Out of Crimeware...

The Rhysida ransomware-as-a-service (RaaS) group has gone from a dubious newcomer to a fully-fledged ransomware...

Threats Icon

Jun 26, 2023

Operation Magalenha – Long-Running Campaign Pursues Portuguese...

The attackers can steal credentials and exfiltrate users' data and personal information, which can be...

Threats Icon

Apr 24, 2023

Lazarus Group Adds Linux Malware to Arsenal...

Researchers have discovered a new campaign conducted by Lazarus, known as "Operation DreamJob," which targets...

Threats Icon

Apr 23, 2023

Additional IOCs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed.

Threats Icon

Apr 23, 2023

Ex-Conti and FIN7 Actors Collaborate with New...

IBM Security X-Force recently discovered a new malware family Analysts have called "Domino," which Analysts...

Threats Icon

Apr 20, 2023

AuKill EDR killer malware abuses Process Explorer...

The AuKill tool abuses an outdated version of the driver used by version 16.32 of...

Threats Icon

Apr 20, 2023

Fake Chrome updates spread malware

A campaign running since the end of last year is using hacked sites to push...

Threats Icon

Apr 20, 2023

QBot using new attack vector in its...

QBot, also known as QakBot, previously operated as a banking trojan and has since transformed...

Threats Icon

Apr 20, 2023

CrossLock Ransomware Emerges: New Golang – Based...

The CrossLock ransomware employs the double extortion technique to increase the likelihood of payment from...

Threats Icon

Apr 20, 2023

Windows Zero-Day Vulnerability CVE-2023-28252 Exploited by Nokoyawa...

A zero-day vulnerability in the Microsoft Windows system, which also affects Windows 11, has been...

Threats Icon

Apr 18, 2023

Additional IOcs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...

Threats Icon

Apr 18, 2023

Additional IOcs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...

Threats Icon

Apr 18, 2023

APT36 Expands Interest Within Indian Education Sector

Symantec described UPS in 2016 report as Buckeye (also known as APT3 Gothic Panda UPS...

Threats Icon

Apr 17, 2023

ChinaZ DDoS Bot Malware Distributed To Linux...

The ChinaZ DDoS bot malware was discovered targeting Linux systems while a version for Microsoft...

Threats Icon

Apr 16, 2023

Resurgence Of The Mexals Cryptojacking Campaign

The Mexals crypto jacking campaign has been in operation since at least 2021 and continues...