DarkWatchman malware targets telecommunications, electronic, industrial sectors in Eastern Europe

IBM Security X-Force has identified a phishing email campaign by Hive0117, likely a financially motivated cybercriminal group, from February 2022, designed to deliver the fileless malware variant dubbed DarkWatchman. The campaign masquerades as official communications from the Russian Government’s Federal Bailiffs Service, the Russian-language emails are addressed to users in Lithuania, Estonia, and Russia in the telecommunications, electronic and industrial sectors. The activity predates and is not believed to be associated with the Russian-led invasion of Ukraine.

X-Force assesses that it is possible the targeting of telecommunication providers and their industry adjacent suppliers may be intended as ultimately serving to enable illegal access to numerous distributed clients and end-users. The phishing activity discovered by X-Force, tracked internally as Hive0117, aligns with research published in December 2021, detailing a similar phishing campaign designed to deliver a DarkWatchman payload by imitating a Russia-based freight and logistics company.

X-Force discovered multiple emails that were sent in mid-February 2022 to individual users, including a state-owned communication company based in Lithuania, a prominent industrial enterprise in Estonia, and several electronic and telecommunication businesses located in Russia. In some cases, the emails were targeting company owners, as well as individuals in leadership positions associated with dispatch services and sales. Targeted organizations could be of high value to criminal actors given the targets’ potential trusted access to a wide, and distributed client base.

“Given the elevated levels of threat activity associated with the ongoing regional crisis, the evidence may suggest that threat actors will leverage the current climate to conduct and obfuscate further activity,” IBM researchers wrote in a blog post.

DarkWatchman is a malicious Remote Access Trojan (RAT) based on JavaScript, using command and control (C2) mechanisms for fileless persistence, as well as other capabilities. Fileless malware uses legitimate tools, which means it is almost impossible to blocklist the tools used in a fileless attack. These legitimate tools ‘live-off-the-land’ as they are installed by default, and the attacker does not need to create or install any custom tools to use them. The tools are frequently used and trusted. It is not unusual to see the tools used in fileless malware running in an enterprise environment for a legitimate purpose.

The DarkWatchman malware analyzed by X-Force uses a domain generation algorithm (DGA) to generate a list of C2 domains, in which the malware attempts to communicate with, X-Force researchers said. The DGA requires a salt as input stored in the configuration key b, or the default salt d46ebd15 is used if the key is not set, they added. 

X-Force assesses that the Hive0117 phishing campaigns are likely criminally motivated in nature given the target selection and focuses of current and previous activities. “Additionally, while the target list of the phishing campaign attributed to Hive0117 has regional associations with the Russian invasion of Ukraine, the activity predates the invasion, indicating the separate from any politically charged associations that have spurred recent waves of criminal activity, such as the attack on a German subsidiary of a Russian state-affiliated energy company,” the researchers added.

“Nevertheless, given the evolving nature of criminal activity prompted by the conflict, language capability, target focus, and relative sophistication of the actor, it is likely Hive0117-related activity possesses an elevated threat to entities and enterprises based in-region,” the post added.

The phishing emails are crafted to appear to originate from the official address of the Federal Bailiffs Service in Russia, a federal law enforcement agency under the Russian Ministry of Justice; however, header examination revealed that some of the emails were received from shtampuy[.]ru (free.ds [185.64.76.158]), according to the X-Force researchers. 

“The majority of emails feature the return path address mail@r77[.]fssprus[.]ru, meant to imitate the organization’s authentic address https://r77.fssp.gov[.]ru. However, for unknown reasons, a single instance imitates a sender which seeks to pose as the head of a purported Russian investment company. The subjects of Hive0117 emails, including official notices, are eye-catching and are likely intended to compel the target to open the email and access the attachment,” they added.

The X-Force researchers said that the contents of the emails feature identical Russian-language text detailing several articles related to enforcement procedures associated with the Kuntsevsky District Court of Moscow, upheld by the ‘Bailiff of the Interdistrict Department of Bailiffs for the Execution of Decisions of the Tax Authorities.’ The only variation observed by X-Force within the emails is in the name and ‘case number’ associated with the individual email and accompanying malicious ZIP archive file attachment, they added.

X-Force assesses that it is possible the targeting of telecommunication providers and their industry adjacent suppliers may be intended as ultimately serving to enable illegal access to numerous distributed clients and end-users.

In addition, X-Force discovered downloader files designed to deliver the DarkWatchman malware, by contacting and downloading files. “Un execution a self-extracting archive (SFX) installer drops two files: a Javascript (JS) file and a file containing a series of hexadecimal characters. The JS file contains obfuscated code that functions as the backdoor and the hexadecimal data contains encrypted data that when decrypted, contains a block of base64 encoded PowerShell that executes a keylogger,” the researchers added. 

The configuration contains a comment in Russian text, which translates to “The comment below contains SFX script commands” (;Расположенный ниже комментарий содержит команды SFX-сценария), indicating that the author of the malware is a Russian-language speaker, possibly based in, or originating from, a Russian-speaking territory.

“Given the fileless nature of the malware, coupled with a JavaScript and a keylogger written in C#, and the abilities to remove traces of its existence on the compromised system when instructed, X-Force assesses that malicious actor(s) behind Hive0117 activity are of moderate sophistication,” the researchers concluded.

Details of the DarkWatchman malware come around the same time as particulars of the  INDUSTROYER.V2 malware variant containing more targeted functionality is observed. Unlike the original INDUSTROYER, which was a framework that leveraged external modules to implement four different OT (operational technology) protocols, this variant is self-contained and only implements the IEC 60870-5-104 (IEC-104) communications protocol. IEC-104 is used for power system monitoring and control over TCP and is mainly implemented in Europe and the Middle East.

Last week, global security agencies issued a joint Cybersecurity Advisory (CSA) warning organizations that the Russian invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity from Russian state-sponsored cyber hackers or Russian-aligned cybercrime groups.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.