A classy Visible Fundamental Script (VBS) malware dubbed “Silent Watcher” has emerged as a persistent risk focusing on Home windows techniques, demonstrating superior knowledge exfiltration capabilities via Discord webhooks.
This stealer, a part of the Cmimai malware household, represents a regarding evolution in information-stealing ways that leverage respectable communication platforms to bypass conventional safety measures.
The malware operates via a rigorously orchestrated multi-stage assault course of, starting with the execution of a VBS script that instantly establishes persistence on contaminated techniques.
Upon initialization, Silent Watcher systematically gathers complete system data via Home windows Administration Instrumentation (WMI) queries, accumulating particulars in regards to the working system, consumer credentials, and laptop specs.
System Data Assortment (Supply – K7 Safety Labs)
K7 Safety Labs researchers recognized this specific pressure via its distinctive operational signature and distinctive webhook communication patterns.
What makes Silent Watcher significantly harmful is its skill to stay undetected whereas constantly monitoring sufferer techniques.
The malware creates a number of PowerShell scripts dynamically, together with “vbs_ps_browser.ps1” for browser metadata extraction and “vbs_ps_diag.ps1” for screenshot seize performance.
Operational Workflow (Supply – K7 Safety Labs)
These scripts are designed to avoid PowerShell execution insurance policies and function with minimal system affect.
The stealer’s exfiltration mechanism demonstrates refined technical implementation, using each WinHttp.WinHttpRequest.5.1 and MSXML2.ServerXMLHTTP objects as fallback mechanisms.
This redundancy ensures dependable knowledge transmission even in restricted community environments.
The malware codecs stolen knowledge as JSON payloads earlier than transmitting to Discord webhooks, making the visitors seem as respectable communication.
Superior Persistence and Evasion Mechanisms
Silent Watcher employs a very crafty persistence technique via timed execution cycles.
After finishing its preliminary knowledge assortment part, the malware enters an infinite loop with exactly calculated one-hour intervals, as demonstrated within the code:-
Dim oneHourMs: oneHourMs = 3600000
Do
LogAction “Sleeping for 1 hour..”
WScript.Sleep oneHourMs
LogAction “Hourly interval: Making an attempt diagnostic report…”
Name AttemptDiagnosticReportViaPS()
Loop
This timing mechanism permits the malware to constantly seize up to date screenshots and system states with out triggering instant suspicion.
The stealer creates short-term recordsdata with randomized names within the system’s short-term folder, systematically cleansing up after every operation to attenuate forensic traces.
vbs_reporter_log.txt (Supply – K7 Safety Labs)
All actions are meticulously logged in “vbs_reporter_log.txt”, offering attackers with detailed operational suggestions whereas sustaining operational safety via automated file cleanup procedures.
Equip your SOC with full entry to the newest risk knowledge from ANY.RUN TI Lookup that may Enhance incident response -> Get 14-day Free Trial
