A new JavaScript-based remote access Trojan (RAT) propagated via a social engineering campaign has been observed employing sneaky “fileless” techniques as part of its detection-evasion methods to elude discovery and analysis.
Dubbed DarkWatchman by researchers from Prevailion’s Adversarial Counterintelligence Team (PACT), the malware uses a resilient domain generation algorithm (DGA) to identify its command-and-control (C2) infrastructure and utilizes the Windows Registry for all of its storage operations, thereby enabling it to bypass antimalware engines.
The RAT utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation, researchers Matt Stafford and Sherman Smith said, adding it represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools.