Security News > 2021 > December > New Fileless Malware Uses Windows Registry as Storage to Evade Detection

Dubbed DarkWatchman by researchers from Prevailion's Adversarial Counterintelligence Team, the malware uses a resilient domain generation algorithm to identify its command-and-control infrastructure and utilizes the Windows Registry for all of its storage operations, thereby enabling it to bypass antimalware engines.

The RAT "Utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation," researchers Matt Stafford and Sherman Smith said, adding it "Represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools."

Distributed via spear-phishing emails that masquerade as "Free storage expiration notification" for a consignment delivered by Russian shipment company Pony Express, DarkWatchman provides a stealthy gateway for further malicious activity.

The novel RAT is both a fileless JavaScript RAT and a C#-based keylogger, the latter of which is stored in the registry to avoid detection.

The malicious JavaScript code just takes about 32kb, while the keylogger barely registers at 8.5kb. "The storage of the binary in the registry as encoded text means that DarkWatchman is persistent yet its executable is never written to disk; it also means that DarkWatchman's operators can update the malware every time it's executed," the researchers said.

"It would appear that the authors of DarkWatchman identified and took advantage of the complexity and opacity of the Windows Registry to work underneath or around the detection threshold of security tools and analysts alike," the researchers concluded.

News URL

https://thehackernews.com/2021/12/new-fileless-malware-uses-windows.html