Malware Evades Detection by Lurking in Windows Registry
Phishing attacks pose an ongoing and widespread danger to both individuals and organizations. To trick users into divulging sensitive information like passwords and credit card details, Threat Actors (TAs) employ various tactics, including phishing websites. Attackers often use these fraudulent websites to distribute their malicious software, taking advantage of users’ trust in legitimate-looking sites.
Recently, Cyble Research and Intelligence Labs (CRIL) have identified a phishing website that imitated a renowned Russian website, CryptoPro CSP. TAs were using this website to distribute DarkWatchman malware.
DarkWatchman was first detected in 2021, with the primary targets being Russian users. DarkWatchman is a Remote Access Trojan (RAT) type that enables attackers to gain remote control over compromised systems and extract sensitive data. Its malicious capabilities include capturing keystrokes, clipboard data, and system information. Notably, DarkWatchman avoids writing the captured data to disk and instead stores it in the registry, thereby minimizing the risk of detection.
On the phishing website hxxps[:]//cryptopro-download[.]one, users are presented with the option to download a malicious file called “CSPSetup.rar.” To access the contents of this file, a password is provided for extraction.
The figure displayed below depicts the phishing website.
Upon extraction, the malicious archive includes two files, CSPSetup.exe, and readme.txt. If executed, CSPSetup.exe installs the DarkWatchman malware. The readme.txt file, which is written in Russian and included in the archive, implies that the malware specifically targets users in Russia.
The figure below shows the files inside the “CSPSetup.rar” archive.
The file “CSPSetup.exe” (SHA 256: d439a3ce7353ef96cf3556abba1e5da77eac21fdba09d6a4aad42d1fc88c1e3c) is an SFX archive file.
More information about this file can be seen in the figure below.
- C:\Windows\System32\cmd.exe” /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath “C:”) & (start /MIN wscript.exe /E:jscript 144039266 131 “C:\Users\User Profile\Desktop\CSP\CSPSetup.exe”
The initial command initiates PowerShell to include the “C:\” drive as a path to exclusion for Windows Defender.
In addition, the CSPSetup.exe program drops a file called “291529489” in the same folder, which serves as an encrypted keylogger.
The entry point function is depicted in the figure below.
The entry_point() function triggers three other functions such as init_globals(),start_instance(), and install().
- init_globals() – Initializes Global Variables
- install() – Responsible for deploying the RAT, keylogger, and wrapper file in the victim’s machine.
- start_instance() – This is the main function of DarkWatchman RAT, which is responsible for executing various malicious activities, including keylogging and sending the user’s data to the C&C server.
To proceed with the RAT installation, the entry_point() function evaluates three conditions:
- Next, it checks whether the first parameter is a numeric value (in this case, it is “131”).
- Finally, the script checks if the registry value “HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM\< uid + 0 >” exists. If the key does not exist, it calls the install() function to launch the RAT, or the start_instance() function is executed.
The malware saves all its configuration and the keylogger file content in the above-mentioned registry key.
This code block initializes a set of global variables that will be utilized throughout the entire execution of the RAT. These variables involve creating objects for performing operations on the Windows Shell, File System, Registry, WMI, and more, which can be shown in the figure below.
The purpose of the function called get_uid() is to obtain a unique identifier (UID) for the system currently in use. It does so by accessing a specific registry value: “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid”.
It retrieves data from the registry value and returns the first eight characters in lowercase as the UID.
This UID with several alphanumeric combinations will be used as the registry value for the RAT operations. For example, the table below contains a few UIDs with their corresponding purpose.
|uid+h||Clear browser history|
This function determines whether the user has administrative privileges on the system by creating a registry value “HKEY_CLASSES_ROOT\WinNT\test” and writing a value of 1 to it using the RegWrite method. It then checks if the value can be read using the RegRead method. If it is 1, it indicates that the user has written permissions and therefore confirms the administrative privileges.
If the value cannot be read or is not 1, the function returns false, indicating that the user does not have administrative privileges. The function ends by deleting the registry value using the RegDelete method.
The below figure shows the function code of is_admin().
After obtaining the necessary global variables and user permission information, the script proceeds to initiate the installation process of RAT on the victims’ system.
The function is responsible for deploying the DarkWatchman RAT and the keylogger on the system. The below figure shows the beginning code snippet of the Install() function.
- The first step of the function involves verifying whether the command line contains more than one parameter. If the condition is satisfied, the function then tries to remove the “CSPSetup.exe” file from the system.
- Afterward, the script verifies if the user has administrative privileges. If so, it runs a PowerShell command to add an exclusion path for Windows Defender, specifically excluding the \appdata\local folder from being scanned.
- powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath “‘ + f.Self.Path + ‘”‘, 0, false
- “C:\\Users\\User Profile\\AppData\\Local\\5d202e6e0.js”
- If the copying of the file is successful, the script then proceeds to create a task scheduler entry in the system that will run the copied script every time the system starts up.
The figure below shows the Task Scheduler entry created by the DarkWatchman RAT.
The remaining code within the install() function is shown in the figure below.
- The following section of the function checks for the existence of an encoded keylogger file called “291529489” in the %temp% directory. If the file exists, the function reads its contents and removes the file from the disk as shown in the figure below.
Finally, the decrypted Base64 encoded data is saved to the registry with the registry value of “uid+1”, as shown in the below figure.
- Then, the RAT proceeds to execute the newly copied JS file by passing the below command-line argument through the Windows Management Instrumentation (WMI) service.
- “C:\\Windows\\SysWOW64\\wscript.exe \”C:\\Users\\User Profile\\AppData\\Local\\5d202e6e0.js\” 131″
- Next, the function registers the “dynwrapx.dll” library by copying it to the %temp% directory and running the “regsvr32.exe” command with the “/i” and “/s” flags to install the library silently.
The image below shows the code for launching the wrapper file.
- Furthermore, the RAT executes a system command to delete all the restore points on the computer silently using the “vssadmin.exe”:
- wscript_shell.Run(‘vssadmin.exe Delete Shadows /All /Quiet’, 2, false);
- The final step is a popup message box with the text “Unexpected end of the file.” The popup will be displayed for 30 seconds with the title “Error”.
The start_instance() function is an essential part of the DarkWatchman RAT script, as it performs a set of standard operations every time the RAT runs.
The figure below shows the code snippet of the start_instance() function.
The script performs the following actions:
- Then, it retrieves the converted keylogger code stored in the registry and passes it to PowerShell via the “StartProcessViaWMI” function to execute. The command line is as follows:
- ‘powershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc ‘ + Base64 Encode data (stored in the registry)
The keylogger records keystrokes, clipboard data, and smart card information in the registry to minimize the risk of detection. The keylogger in DarkWatchman does not have any direct communication with the Command-and-Control (C&C) server or write any data to the disk. Instead, it stores its captured data in the registry value that is used as a buffer.
The RAT regularly retrieves and clears the buffer before transmitting the collected keystrokes to the C&C server.
The figure below shows the captured clipboard content stored in the registry.
- Next, the function attempts to connect to a C&C URL retrieved from the registry key uid + ‘c’.
The below figure shows the registry value containing the URL.
- After that, the RAT collects the victim’s system information, such as operating system version, locale, computer name, username, domain role, and antivirus software. It then formats this information into a string and sends it to the C&C server. Then it goes into sleep mode for 60 seconds.
The below figure shows the data to be captured in the victim’s machine
The following are descriptions of the remaining the start_instance() function:
- The RAT checks if the registry value with the name “uid + ‘h’ exists and if the system uptime is less than 600 seconds. If not, it terminates processes and deletes browsing history for web browsers such as Internet Explorer, Firefox, Chrome, and Yandex.
Once the browser history has been cleared successfully, the uid + ‘h’ registry value is updated to 1 to avoid repeating the process during the same session.
The following figure displays the updated registry key after clearing the browser history.
- The loop checks the existence of registry values such as uid + ‘t’ and uid +’z’.
If the registry key contains uid+’z’, the script will terminate, and the RAT operation will be stopped. If the registry key contains uid + ‘t’, it sleeps for 300,000 milliseconds (5 minutes) before reconnecting to the server.
- After gathering the captured stolen information, the RAT sends it to the C&C server.
The code and the corresponding values sent to the server are displayed in the figure below.
DarkWatchman RAT showcases a new spreading technique through phishing sites, indicating that TAs are constantly innovating and using new methods to compromise systems. With the rise in the number of DarkWatchman samples being detected in the wild, the malware may be increasingly used in future cyberattacks.
Furthermore, using the Windows Registry as a storage mechanism for fileless malware is noteworthy, as it can evade detection by traditional antivirus software that relies on scanning files. DarkWatchman’s keylogger is an example of such fileless malware to avoid detection.
Cyble Research and Intelligence Labs continue to monitor the activity of DarkWatchman RAT and other malware and will provide timely updates to our readers.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Malware Attacks
- Do not open suspicious links in emails
- Do not download the software from untrusted sources
- Use a reputed antivirus and Internet security software package on your connected devices, including PC, laptop, and mobile
- Refrain from opening untrusted links and email attachments without verifying their authenticity
Users Should Take the Following Steps After the Malware Attack
- Detach infected devices on the same network
- Disconnect external storage devices if connected
- Inspect system logs for suspicious events
Impact And Cruciality of Malware
- Additional malware can be dropped into the system
- Infected systems could attack other systems
- Loss of valuable data
- Loss of the organization’s reputation and integrity
- Loss of the organization’s sensitive business information
- Disruption in organization operation
- Monetary loss
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Command and Scripting Interpreter|
|Deobfuscate/Decode Files or Information|
|Query Registry |
System Information Discovery
|Input Capture||T1056/001||Input Capture: Keylogging|
|Command and Control||T1071||Application Layer Protocol|
Indicators of Compromise (IOCs)
|Obfuscated JS file|