IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads.

Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as the emails reference then-recent amendments regarding conscription. Under the new ordinance, the state will bar individuals who fail to report for service from applying for loans, conducting real estate transactions, engaging in international travel, and suspend their driver’s license.

It is highly likely Hive0117 pose a threat to in-region entities and enterprises, given the use of emergent policies associated with the ongoing conflict in Ukraine to conduct operations, combined with the diverse functionality and fileless nature of DarkWatchman malware.

Key findings

• Hive0117 leverages new digital policies associated with Russian mobilization targeting Russian speakers.
• Phishing emails imitate electronic conscription notices from a non-existent military commissariat to deliver fileless DarkWatchman malware.
• Use of the ongoing regional conflict likely signals Hive0117 operations leverage current events to conduct illicit activity.
• The DarkWatchman RAT uses fileless behavior to maintain a footprint on infected systems and may be used to deploy secondary payloads.
• The fileless nature of the DarkWatchman malware, its use of JavaScript and a keylogger written in C#, as well as the ability to remove traces of its existence on compromised systems, are evidence of somewhat sophisticated capabilities.

Email campaign

Following President Vladimir Putin’s announcement of ‘partial mobilization,’ an estimated 900,000 Russian citizens fled the Russian Federation to avoid conscription into the Russian Armed Forces. In response, the Russian government introduced a bill in 2023 that aimed to address the issue of citizens avoiding service and receipt of a physical summons by allowing for the delivery of digital summons via the Gosuslugi — an electronic state services portal.

The emails are directed at work email addresses of individuals associated with several industries based in Russia, Kazakhstan, Latvia, and Estonia, and leveraging an electronic summons for conscription into the Russian Armed Forces as the phishing lure. Hive0117 actors sent Russian-language emails with subject lines appearing to be Orders for Mobilization as of 10 May 2023 (Мобилизационное предписание №291-76005-23 от 10.05.2023).

For authenticity, the emails include multiple images along with logos of the official coat of arms of the Russian Ministry of Defense. Machine translation of the email shows references to the then-recent legislation regarding guidance surrounding mobilization to the Russian Armed Forces.

Figure 1: Image of Hive0117 phish imitating electronic conscription notice

Each phishing email contains an archive attachment with a title echoing the email’s subject line, combined with an apparent serial number, and the date (Мобилизационное предписание №291-76005-23 от 10.05.2023.zip). The email sender is a fictional organization of the Main Directorate of the Military Commissariat of the Ministry of Defense of the Russian Federation (Главное Управление Военного Комиссариата МО РФ). Likewise, the same commissariat language (voenkomat) is also included in the visible actor-controlled return path (mail@voenkomat-mil[.]ru).

Additionally, X-Force uncovered reports from Russian publications indicating exact copies of the phishing emails were received by residents and government institutions across Russia, from Nizhny Tagil and Voronezh, to the Amur region, Ulyanosk, Samara, Krasnodar, and Moscow. Reader comments within the articles suggest recipients included the Editorial Office of the Academy of Sciences, the Moscow Post Office, and personnel departments in Moscow.

Figure 2: Image of local Russian newspaper reporting on the residents receiving fake mobilization orders

Given the contents of the email and their widespread distribution, it is highly likely Hive0117 directed this activity toward both in-country Russian citizens and those residing in Russia’s pronounced near abroad.

Malware

The email archive file attachments contain an executable, ultimately installing DarkWatchman malware that functions similarly to the Hive0117 malware reported in April 2022. A full DarkWatchman malware analysis report can be found on IBM X-Force Exchange.

Infection chain

Figure 3: DarkWatchman Malware infection chain

The downloader files, which contact various domains, download files to the %TEMP% location, where a self-extracting archive (SFX) installer drops two files: a JS file and a file containing a blob of hexadecimal characters. The SFX file executes the JS with the SFX file’s path as the argument. The JS file contains obfuscated code that functions as the backdoor, and the blob contains encrypted data that when decrypted, contains a block of base64 encoded PowerShell that implements a keylogger. The configuration contains a comment in Russian text, which translates to “The comment below contains SFX script commands” (;Расположенный ниже комментарий содержит команды SFX-сценария), indicating that the author of the malware is a Russian-language speaker, likely based in, or originating from, a Russian-speaking territory.

The SFX archives also drop and register the dynwrapx.dll library, which can be used to call WinAPI functions exported from system DLLs, directly from malicious scripts such as JS or VBS. This allows threat actors to deploy advanced payloads as scripts, without having to rely on executables that would be dropped to disk for execution.

The JavaScript backdoor is executed using the Windows Script Host (WSH) environment, wscript.exe, and utilizes the Windows Registry as a storage mechanism for configuration and other data to avoid writing to disk and avoid detection by anti-virus software. In particular, the keylogger is stored in the Registry in an encoded form until executed.

Hive0117 generates a UID string each time it starts that is used as an identifier for various purposes. The UID is calculated based on the C: volume serial number, which is queried and then converted to lowercase characters and padded with zeros (before the serial number) as needed to make the UID string 8 characters long.

Several registry entries are used to store data, such that  HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM\ is used as the base for this storage area. Each Registry value is identified using the UID and an alpha-numeric character representing a configuration key <uid><config_key> and contains various configuration and other data (e.g., key log, etc.) previously used by Hive0117.

Executing the backdoor with the name of the SFX file as a parameter will cause an installation routine to be executed. As part of the installation routine, the backdoor will delete the SFX file to remove evidence of the file’s existence. The backdoor will rename itself based on UID generated at start up, and subsequently, the file is moved to %LOCALAPPDATA%<uid>0.js (e.g., 29e0d2550.js).

The backdoor creates a scheduled task to run with elevated permissions, as if initially executed by an admin user, and is used to maintain persistence on the system, and is named using the UID.

The backdoor looks for the file containing the keylogger, reads the contents, and decodes them using XOR operations. Decoded data is converted back into a hex string and stored in the Registry until ready to be executed. The data written to the Registry is a base64 encoded PowerShell command. The keylogger file is removed upon installation and the scheduled task is started to initiate immediate execution instead of waiting for a user to log on. The final installation task is to remove any volume shadow copies if the backdoor was running as admin to further clean up its tracks.

JavaScript backdoor and keylogger

Upon startup, and after the initial installation routine has been run, the backdoor will perform some preliminary steps before entering a loop where it will contact its C2 server and process any commands retrieved from the C2 server. The backdoor will look for any data contained in the configuration key v, which is used to store additional JavaScript code intended to be executed at startup.

The autostart JavaScript is not stored in v at installation and must be set later based on a C2 command. Next, the backdoor will attempt to start the keylogger stored as a base64 encoded PowerShell command retrieved and executed using a command via WMI. A keylogger component written in C# .Net is loaded by the JavaScript backdoor and runs concurrently with the backdoor. The source code for the keylogger is compiled and loaded into memory using a base64 encoded PowerShell command and creates a mutex to prevent multiple copies of the keylogger from running. The keylogger shares two of the configuration keys used by the backdoor to enable the two components to communicate and uses a configuration key to log captured keystrokes, which the backdoor sends to a C2; the keylogger does not have any network functionality.

Infrastructure

The DarkWatchman malware uses a domain generation algorithm (DGA) to generate a list of C2 domains that the malware attempts to communicate with different domains, potentially daily. The C2 URLs are created by combining the DGA domain list with the protocol, URL path, and a list of top-level domains (TLDs) that are hard coded in the backdoor. Previous TLDs included .top, .fun, .online, .site, whereas new TLDs include .shop, .icu, and .cyou. The backdoor creates and tests URLs starting with the original list, in which the DGA domains are added to, resulting in network connection attempts based on a static list of domains, then proceeding to the DGA domains.

System information is collected and generates a beacon:

• OS version/locale
• Domain role
• Computer name
• Username
• Current time zone
• Installed anti-virus
• Smartcard reader driver

Querying for the presence of a smartcard reader may indicate that Hive0117 conducts operations targeting military, government, or other organizations with higher security requirements.

MITRE ATT&CK alignment

T1027.010 Obfuscated Files or Information: Command Obfuscation

T1056.007 Command and Scripting Interpreter: JavaScript

T1053.005 Scheduled Task/Job: Scheduled Task

T1112 Modify Registry

Conclusion

A comparison of previously reported activity delivering DarkWatchman malware with the current activity, reveals a potential opportunist approach to operations featuring well-timed and manufactured campaigns. The fileless nature of the DarkWatchman malware, and its use of JavaScript and a keylogger written in C#, as well as the ability to remove traces of its existence on compromised systems when instructed, are evidence of somewhat sophisticated capabilities.

The ability of the malware to query for the presence of a smartcard reader may signal Hive0117’s operational objectives including the compromise of military, government, or other organizations with elevated security requirements. X-Force recommends entities in-region remain at a heightened state of defensive security.

Recommendations

• Ensure anti-virus software and associated files are up to date.
• Search for existing signs of the indicated IoCs in your environment:
  • JS files in %LOCALAPPDATA% (e.g. 29e0d2550.js)
  • Supicious schedued taks (e.g., task name “29e0d255-29e0-d255-29e0-29e0d25529e0″)
  • Volume shadow copy deletion. Command: “vssadmin.exe Delete Shadows /All /Quiet”
  • Powershell commands launched from WMI. Command: “powershell.exe -NoP -NonI -W Hidden -Exec Bypass –enc <payload>”
  • Registry keys under“HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM\<c_volume_serial>\
  • Registering dynwrapx.dll. Command: “regsvr32.exe /i /s %LOCALAPPDATA%\dynwrapx.dll”
• Consider blocking and/or setting up detection for all URLs matching the DGA format: [a-f0-9]{8}.[shop|icu|cyou|top|fun|online|site]/index.php
• Keep applications and operating systems running at the current released patch level.
• Exercise caution with attachments and links in emails.

To learn how IBM Security X-Force can help with anything regarding cybersecurity including incident response, threat intelligence or offensive security services, schedule a meeting here: IBM Security X-Force Scheduler.

If you are experiencing cybersecurity issues or an incident, contact IBM Security X-Force for help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

Indicators of compromise