DarkWatchman – A new evolution in fileless techniques

PACT chose to base the investigation partially on the timestamps of VirusTotal submissions of the samples and relationships to the observed web infrastructure.
Timeline analysis did indeed prove to be valuable, as full email messages were identified that included intact headers that allowed PACT analysts to identify a spoofed sender, what is likely the true sender, the intended recipient, the attachment that was identified as the ZIP file containing the malicious logic that functions as a dropper for the RAT, and Russian-language subject and body of the email.

Taken together, these observations indicate it is likely that this email is a targeted lure used to spearphish the recipient.

The email’s subject was “Free storage expiration notification” and was designed to appear as if it came from “ponyexpress[.]ru”
The body of the email, machine translated from the original Russian and included in full later in this report, contained additional lure material that one would likely anticipate after reading the subject.

DarkWatchman is a ‘fileless’ JavaScript RAT paired with a C# keylogger. Both parts of the malware are lightweight, with the JavaScript coming in at just under 32kb and the compiled keylogger only taking up 8.5kb total. It contains several advanced, and notable, features that set it apart from most commodity malware.
DarkWatchman heavily utilizes LOLbins and some novel methods of data transfer between modules to avoid detection. Various parts of DarkWatchman, including configuration strings and the keylogger itself, are stored in the registry to avoid writing to disk.
The initial sample that PACT analyzed appears to be targeting a Russian-speaking person or organization, but the script itself is written with English variable and function names. Based on some of the features, PACT assesses with moderate confidence that this is an initial access tool for use by ransomware groups or affiliates.

PACT acquired the initial DarkWatchman sample from a Virustotal API upload of an email message. The message was written in Russian and purported to be PonyExpress with an attached invoice. The email headers revealed that it was spoofed and sent from rentbikespb[.]ru.
Scans from Shodan and other sources indicate that this domain was updated to point at a server instance hosted at OpenStack running Postfix and changed back to the original IP shortly after the email was sent.

The email indicates that the target has a package that is being held for them and will exceed the free storage period soon, and instructs them to see the attached scanned copy of the “consignment note”
This letter is to inform you that on November 16, 2021, the free storage period for consignment note #12-6317-3621 is about to expire. Since the recipient’s phone number indicated in the shipment is not available, please contact us at +7-495-937-77-77 (multichannel).
Please note that in case the item cannot be delivered and the receiver can not be reached by November 16, 2021 the item will be returned to the sender. A scanned copy of the consignment note completed by the sender is attached to this letter.
Respectfully, Michael, PONY EXPRESS Account Manager, +7-495-937-77-77 ext. 308.

The email attachment is a zip archive named ‘Накладная №12-6317-3621.zip’ (translated: Invoice #12-6317-3621) which contains an executable with the same name.
The executable’s icon is set to appear to be a basic text document.
This executable is a WinRAR SFX self installing archive that contains two files: ‘134121811.js’ (the JavaScript RAT) and ‘2204722946’ (the C# source code for the keylogger).
The WinRAR SFX configuration file contains comments in Russian and instructions to drop both files in %TEMP% before executing the .JS file with the name of the WinRAR SFX executable as a command line argument.
Upon initial execution, the Windows Registry is checked to determine if DarkWatchman has already been installed.
The malware stores its configuration in ‘\HKCUSoftwareMicrosoftWindowsDWM’, using registry keys that consist of a uid generated from the serial number of the C: drive and appended with a single digit or character.
Installation is denoted by uid + 0 (eg: abc1230) – if the malware does not find a ‘1’ flag in this key, it runs its install function.
The install function proceeds to delete the WinRAR SFX executable using the filename passed to it during execution.
It also moves the JS file to ‘Shell.NameSpace(28)’ (‘ssfLOCALAPPDATA’ – ‘AppDataLocal’) and creates a scheduled task to use WScript to execute the file at every user log on.
The installation routine then copies the keylogger to the registry, sets the uid + 0 flag to 1 to indicate that installation was completed, and executes the scheduled task it created.
The last step is a popup that informs the user “Unknown Format”, giving the indication that the file is unreadable by the system to deflect from the ‘scanned document’ not opening.
When DarkWatchman is run and detects the presence of the “installed” flag, it begins regular operation.

DarkWatchman is capable of most basic RAT functionality:

Execute EXE files (with or without the output returned)
Load DLL files
Execute commands on the command line
Execute WSH commands
Execute miscellaneous commands via WMI
Execute PowerShell commands
Evaluate JavaScript
Upload files to the C2 server from the victim machine
Remotely stop and uninstall the RAT and Keylogger
Remotely update the C2 server address or call-home timeout

As well as some notable functionality:

Update the RAT and Keylogger remotely
Set an autostart JavaScript to run on RAT startup
A Domain Generation Algorithm (DGA) for C2 resiliency
If the user has admin permissions, it deletes shadow copies using vssadmin.exe

Sign Up For Threat Alerts

Loading...
Threats Icon

Dec 06, 2022

DuckLogs MaaS (Malware-as-a-Service) Provides Sophisticated Features

DuckLogs is MaaS (Malware-as-a-Service) advertised on cybercrime forums with a range of features including remote...

Threats Icon

Dec 05, 2022

WannaRen Returns As Life Ransomware

WannaRen ransomware appeared on the threat landscape in 2020 and reemerged in 2022 as Life...

Threats Icon

Dec 04, 2022

Alert (AA22-335A) Cuba Ransomware

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are...

Threats Icon

Dec 01, 2022

UNC4191 Threat Group Targets Entities In The...

The UNC4191 threat group was discovered targeting entities in the Philippines with custom malware and...

Threats Icon

Nov 30, 2022

Emotet Leads To Quantum Ransomware Infection

Threat actors were observed using Emotet to gain access to the victim's network and deploy...

Threats Icon

Nov 29, 2022

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that...

Threats Icon

Nov 29, 2022

Ransomware Roundup: Cryptonite Ransomware

FortiGuard Labs has reported on Cryptonite ransomware, which was found to target Microsoft Windows machines...

Threats Icon

Nov 28, 2022

Operation Typhoon: The Cyber Sea Lotus Coveting...

Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions...

Threats Icon

Nov 27, 2022

IL-Cert Alert – Active phishing campaign in...

There is a new phishing campaign in Israel. The malware relies upon user execution. The...

Threats Icon

Nov 27, 2022

Emotets Vacation Is Over: No Rest For...

Emotet started as a banking Trojan in spreading via spam campaigns by imitating financial statements,...

Threats Icon

Nov 24, 2022

Aurora: A Rising Stealer Flying Under The...

Aurora is a multipurpose botnet with data collection, information stealer, downloading, and remote access Trojan...

Threats Icon

Nov 23, 2022

Analysis Of The ViperSoftX And VenomSoftX Information...

Torrents and software-sharing sites are being used to target victims across the globe with variants...

Threats Icon

Nov 22, 2022

Wipermania

Wipers have existed for years, and while they haven't been utilized as much as ransomware,...

Threats Icon

Nov 21, 2022

LockBit 3.0 Ransomware Unlocked

Also known as LockBit Black, this ransomware family announced itself stating that it would now...

Threats Icon

Nov 21, 2022

Control Panel Executable Abused For QakBot Infection

QakBot campaign modifies deployment tactics and aims to exploit a DLL hijacking technique that abuses...