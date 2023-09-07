Figure 3: DarkWatchman Malware infection chain

The downloader files, which contact various domains, download files to the %TEMP% location, where a self-extracting archive (SFX) installer drops two files: a JS file and a file containing a blob of hexadecimal characters. The SFX file executes the JS with the SFX file’s path as the argument. The JS file contains obfuscated code that functions as the backdoor, and the blob contains encrypted data that when decrypted, contains a block of base64 encoded PowerShell that implements a keylogger. The configuration contains a comment in Russian text, which translates to “The comment below contains SFX script commands” (;Расположенный ниже комментарий содержит команды SFX-сценария), indicating that the author of the malware is a Russian-language speaker, likely based in, or originating from, a Russian-speaking territory.

The SFX archives also drop and register the dynwrapx.dll library, which can be used to call WinAPI functions exported from system DLLs, directly from malicious scripts such as JS or VBS. This allows threat actors to deploy advanced payloads as scripts, without having to rely on executables that would be dropped to disk for execution.

The JavaScript backdoor is executed using the Windows Script Host (WSH) environment, wscript.exe, and utilizes the Windows Registry as a storage mechanism for configuration and other data to avoid writing to disk and avoid detection by anti-virus software. In particular, the keylogger is stored in the Registry in an encoded form until executed.

Hive0117 generates a UID string each time it starts that is used as an identifier for various purposes. The UID is calculated based on the C: volume serial number, which is queried and then converted to lowercase characters and padded with zeros (before the serial number) as needed to make the UID string 8 characters long.

Several registry entries are used to store data, such that HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM\ is used as the base for this storage area. Each Registry value is identified using the UID and an alpha-numeric character representing a configuration key <uid><config_key> and contains various configuration and other data (e.g., key log, etc.) previously used by Hive0117.

Executing the backdoor with the name of the SFX file as a parameter will cause an installation routine to be executed. As part of the installation routine, the backdoor will delete the SFX file to remove evidence of the file’s existence. The backdoor will rename itself based on UID generated at start up, and subsequently, the file is moved to %LOCALAPPDATA%<uid>0.js (e.g., 29e0d2550.js).

The backdoor creates a scheduled task to run with elevated permissions, as if initially executed by an admin user, and is used to maintain persistence on the system, and is named using the UID.

The backdoor looks for the file containing the keylogger, reads the contents, and decodes them using XOR operations. Decoded data is converted back into a hex string and stored in the Registry until ready to be executed. The data written to the Registry is a base64 encoded PowerShell command. The keylogger file is removed upon installation and the scheduled task is started to initiate immediate execution instead of waiting for a user to log on. The final installation task is to remove any volume shadow copies if the backdoor was running as admin to further clean up its tracks.