DarkWatchman Remote Access Trojan: Technical Details
DarkWatchman is currently spread in a malicious email campaign. Its distribution relies on fileless malware techniques, where it uses the registry for temporary and permanent storage. In other words, the malware doesn’t write anything to disk, making its detection nearly impossible for most security software. The researchers successfully reverse-engineered the DGA mechanisms the malware uses, performing a dynamic analysis as well as investigating its web-based infrastructure.
One of the emails the team analyzed contained the following subject line – “Free storage expiration notification” – and was designed to appear as if it came from “ponyexpress[.]ru”. The body of the email was written in Russian.
“Notably, it referenced the (malicious) attachment, an expiration of free storage, and claimed to be from Pony Express (thus further reinforcing the spoofed sender address).
However, an analysis of the email headers indicate that the message originated from the header: “rentbikespb[.]ru” domain as evidenced by the following header: “Received: from rentbikespb[.]ru (smtp.rentbikespb[.]ru [45[.]156.27.245])”; meaning that the sender is likely spoofed,” PACT’s report said.
Based on a detailed analysis, the researchers created a timeline of the attack, which seems to have originated on November 12:
Taken together, the VirusTotal submissions of the samples, the samples themselves, the ZIP containing the samples (observed as a dissemination mechanism via email attachment), as well as the RAR container (seen later in this report under the Analysis section) form a timeline beginning on 12 November.
DarkWatchman RAT Comes with a Keylogger
It appears that the DarkWatchman remote access trojan campaign is targeting “numerous subdomains that may indicate it is an enterprise-sized organization” in a spear-phishing operation.
Furthermore, the malware is paired with a C# keylogger. It is noteworthy that both the RAT and the keylogger are lightweight, containing a number of notable advanced features setting it apart from most common malware. To bypass detection, DarkWatchman relies on novel tricks of data transfer between modules, as well as using LOLbins. Its initial target appears to be a Russian-speaking person or organization. However, its script is written with English variable and function names.
In conclusion, it is safe to assume that DarkWatchman is an initial access tool that serves ransomware groups or affiliates.
More about Initial Network Access
A 2020 report revealed more about the price of initial network access that cybercriminals need to target organizations.
Initial network access is what gets malicious hackers inside an organization’s network. Threat actors who are selling it (known as “initial access brokers”) create a bridge between opportunistic campaigns and targeted attackers. In most cases, these are ransomware operators. KELA researchers successfully indexed 108 network access listings shared on popular hacking forums last month. The total value of the demanded price was above $500,000.