A sophisticated Visual Basic Script (VBS) malware dubbed “Silent Watcher” has emerged as a persistent threat targeting Windows systems, demonstrating advanced data exfiltration capabilities through Discord webhooks.
This stealer, part of the Cmimai malware family, represents a concerning evolution in information-stealing tactics that leverage legitimate communication platforms to bypass traditional security measures.
The malware operates through a carefully orchestrated multi-stage attack process, beginning with the execution of a VBS script that immediately establishes persistence on infected systems.
Upon initialization, Silent Watcher systematically gathers comprehensive system information through Windows Management Instrumentation (WMI) queries, collecting details about the operating system, user credentials, and computer specifications.
.webp "Silent Watcher Attacking Windows Systems and Exfiltrate Data Using Discord Webhook 4")
K7 Security Labs researchers identified this particular strain through its distinctive operational signature and unique webhook communication patterns.
What makes Silent Watcher particularly dangerous is its ability to remain undetected while continuously monitoring victim systems.
The malware creates multiple PowerShell scripts dynamically, including “vbs_ps_browser.ps1” for browser metadata extraction and “vbs_ps_diag.ps1” for screenshot capture functionality.
.webp "Silent Watcher Attacking Windows Systems and Exfiltrate Data Using Discord Webhook 5")
These scripts are designed to circumvent PowerShell execution policies and operate with minimal system impact.
The stealer’s exfiltration mechanism demonstrates sophisticated technical implementation, utilizing both WinHttp.WinHttpRequest.5.1 and MSXML2.ServerXMLHTTP objects as fallback mechanisms.
This redundancy ensures reliable data transmission even in restricted network environments.
The malware formats stolen data as JSON payloads before transmitting to Discord webhooks, making the traffic appear as legitimate communication.
Advanced Persistence and Evasion Mechanisms
Silent Watcher employs a particularly cunning persistence strategy through timed execution cycles.
After completing its initial data collection phase, the malware enters an endless loop with precisely calculated one-hour intervals, as demonstrated in the code:-
Dim oneHourMs: oneHourMs = 3600000
Do
LogAction "Sleeping for 1 hour.."
WScript.Sleep oneHourMs
LogAction "Hourly interval: Attempting diagnostic report..."
Call AttemptDiagnosticReportViaPS()
LoopThis timing mechanism allows the malware to continuously capture updated screenshots and system states without triggering immediate suspicion.
The stealer creates temporary files with randomized names in the system’s temporary folder, systematically cleaning up after each operation to minimize forensic traces.
.webp "Silent Watcher Attacking Windows Systems and Exfiltrate Data Using Discord Webhook 6")
All activities are meticulously logged in “vbs_reporter_log.txt”, providing attackers with detailed operational feedback while maintaining operational security through automatic file cleanup procedures.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link
