New Fileless Malware - Evades detection by using Windows Registry as Storage 
Reading Time: 2 minutes

The new Fileless Malware, a JavaScript-based remote access Trojan (RAT) uses Windows Registry as storage to evade detection and analysis. 

According to the researchers at Prevailion’s Adversarial Counterintelligence Team (PACT), the malware dubbed as DarkWatchman uses a resilient domain generation algorithm (DGA) to identify its command-and-control (C2) infrastructure. It utilizes the Windows Registry for all of its storage operations, thereby enabling it to bypass antimalware engines.

Researchers Matt Stafford and Sherman Smith said, the RAT “utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation. It represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools.”New-Fileless-MalwareThe researchers further added, “The storage of the binary in the registry as encoded text means that DarkWatchman is persistent yet its executable is never (permanently) written to disk; it also means that DarkWatchman’s operators can update (or replace) the malware every time it’s executed.” 

After successfully installing DarkWatchman, bad actors can execute arbitrary binaries, load DLL files, run JavaScript code, and PowerShell commands. Additionally, they can also upload files to a remote server, update itself, and even uninstall the RAT and keylogger from the compromised machine. They are also able to establish persistence with the JavaScript routine by creating a scheduled task that runs the malware at every user log on.

The researchers explained, “The keylogger itself does not communicate with the C2 or write to disk. Instead, it writes its keylog to a registry key that it uses as a buffer. During its operation, the RAT scrapes and clears this buffer before transmitting the logged keystrokes to the C2 server.”

Though the DarkWatchman is not yet attributed to any hacking group, Prevaillion emphasized them being a “capable threat actor.” They also pointed out how the malware exclusively targets victims located in Russia and the typographical errors and misspellings that were identified in the source code samples, raising the possibility that the operators may not be native English speakers.

The researchers concluded by saying, “It would appear that the authors of DarkWatchman identified and took advantage of the complexity and opacity of the Windows Registry to work underneath or around the detection threshold of security tools and analysts alike. Registry changes are commonplace, and it can be difficult to identify which changes are anomalous or outside the scope of normal OS and software functions.”

Related Articles:

UK Government – National Cyber Strategy Will introduce BritChip for mobile devices by 2025
Google Warns 2 Billion Chrome Users
How to Avoid Scams when making donations?