A new Hive0117 phishing campaign impersonates Russian conscription notices to deliver the DarkWatchman malware, targeting Russian-speaking individuals across energy, finance, transport, and software security sectors. IBM X-Force researchers note DarkWatchman operates as a fileless backdoor with JavaScript and a C#-based keylogger, using registry persistence, scheduled tasks, and a domain-generated C2 infrastructure to avoid detection. #DarkWatchman #Hive0117 #XForce
Keypoints
- Hive0117 targets Russian-speaking individuals in multiple sectors across Russia and neighboring countries (Russia, Kazakhstan, Latvia, Estonia).
- Phishing emails imitate conscription notices from a fictitious military commissariat to deliver fileless DarkWatchman malware.
- Campaign leverages current regional conflict/policies to drive illicit activity and urgency.
- DarkWatchman is fileless, uses JavaScript backdoor and a C#-based keylogger, and can deploy secondary payloads.
- The malware hides its activity through obfuscated JavaScript, registry-based configuration, and removal of traces after execution.
- Infection chain includes SFX archives dropping JS and a blob of data that decrypts to PowerShell, with registry and scheduled task persistence.
MITRE Techniques
- [T1027.010] Obfuscated Files or Information – Command Obfuscation – The JS backdoor contains obfuscated code that functions as the backdoor. Quote: ‘The JS file contains obfuscated code that functions as the backdoor.’
- [T1056.007] Command and Scripting Interpreter: JavaScript – The JavaScript backdoor is executed in the Windows Script Host (WSH) environment using wscript.exe. Quote: ‘The JavaScript backdoor is executed using the Windows Script Host (WSH) environment, wscript.exe.’
- [T1053.005] Scheduled Task/Job: Scheduled Task – The backdoor creates a scheduled task to run with elevated permissions, as if initially executed by an admin user. Quote: ‘The backdoor creates a scheduled task to run with elevated permissions, as if initially executed by an admin user.’
- [T1112] Modify Registry – The keylogger is stored in the Registry in an encoded form until executed; the registry is used to store configuration and data. Quote: ‘The keylogger is stored in the Registry in an encoded form until executed.’
Indicators of Compromise
- [Email ZIP Attachment] – Мобилизационное предписание №291-76005-23 от 10.05.2023.zip, Мобилизационное предписание №5010421409-ВВК от 10.05.2023.zip
- [ZIP File] – Мобилизационное предписание №314-39008-3Н от 10.05.2023.zip, Мобилизационное предписание №4212317-009МК от 10.05.2023.zip
- [Javascript] – c784477d0.js, c153ea2b0.js
- [EXE] – Заявка_05062023.exe, dogovor.exe
- [Domain] – 025ad916.cyou, ec311447.icu
- [Domain] – 025ad916.icu, ec311447.shop
- [Email Address] – mail[@]voenkomat-mil[.]ru