Fileless malware evolution: DarkWatchman RAT detection evading techniques

The new malware uses Windows Registry to avoid security detections

Remote access trojan Windows Registry manipulations shows evolution of fileless malware

The new fileless malware manipulates system settings and uses other ways to evade detection once on the system to launch needed malicious functions. The RAT named DarkWatchman can easily be used by ransomware creators for these features.^[1] Remote access feature can be attractive for the money-driven criminals behind ransomware threats. The particular trojan is known for being distributed around using the Russian-language spear-phishing campaigns.^[2]

The Windows Registry manipulation helps the malware to run without being indicated as the infection. This feature shows how advanced these fileless malware versions get. The JavaScript-based remote access trojan uses social engineering^[3] to spread around and is sneaking into machines eluding discovery and further analysis.

DarkWatchman also uses the resilient domain generation algorithm that helps identify command and control infrastructures and abuse the Windows Registry, storage operations. The persistent threat has other dynamic run-time capabilities and updates itself from time to time, so it even gets advanced while it is already deployed on the machines.^[4]

Operating beneath and above the detection threshold

The malware got discovered by the Prevailion Adversarial Counterintelligence Team of researchers.^[5] The team reported that the particular RAT manages to be undetected by most of the anti-malware and system security tools. The statement from Matt Stafford nad Sherman Smith states:

As it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools.

This revolutionary malware shows that techniques of malicious programs are evolving, and threat actors can use their products in various ways and attacks. It is revealed that the RAT began operating in November and abused various known TLS certificates. Particular relation to Russia is discovered when campaigns including the payload of this trojan were found using Russian-language emails. Traditional luring techniques appeared to be used in the mentioned spear-phishing campaign, and some of the known targets also include Russian companies.

Potential use of the RAT in ransomware deployment

Researchers state that this remote access trojan can easily become a tool for ransomware operations because it can open backdoors and ensure the persistence of any related malware on the affected machines. DarkWatchman can be a primary access vector that ransomware creators use instead of affiliates that normally help with spreading the file-lockers and wipers.

Typically ransomware creators need other hackers that are responsible for ensuring persistence and wide distribution of their programs. Dropping the malicious files and handling these exfiltrations of files can be major for the whole attack. The use of fileless malware with such detection evading techniques could help developers of ransomware make more money and affect more targetted devices.

DarkWatchman is not yet linked with any hacker group, but the analysis shows that threat actors behind this infection are capable of triggering seriously disturbing attacks. This RAT is exclusively targeting victims in Russia, and some particular typo errors, misspellings show that hackers are less likely native English speakers. It seems to be only the start and the first discovery of the RAT attacks of this persistence, so many threat actors possibly will adopt this method, and it means that fileless malware is set to get more dangerous.