A recently discovered malware dubbed DarkWatchman uses the Windows Registry to attack. Based on research, the new malware is a lightweight and capable JS remote access trojan (RAT) combined with C# keylogger.
Moreover, a researcher’s technical report said that this malware employs a novel remote access trojan (RAT) distributed by an alleged Russian-speaking threat group exclusively targeting Russian-based firms.
Researchers first noticed DarkWatchman in the wild in November 2021 as its operators were seen spreading the malware via phishing emails attached with malicious ZIPs. These zip file attachments consist of an executable using an icon spoofing a text document.
The executable inside the zip file is a self-installing WinRAR file that will install the RAT and keylogger upon activation. If the user opens the file, it will show a deceiving popup message that says, “Unknown Format”, but in actuality, the payloads have been already installed unknowingly.
DarkWatchman is an elusive file-less remote access trojan that uses the Windows Registry.
The interesting aspect of DarkWatchman is its utilisation of Windows Registry files storage mechanism for its keylogger. Instead of keeping the keylogger on disk, a scheduled task is developed to deploy the DarkWatchman RAT to every user that log into Windows.
Once the RAT is launched, the DarkWatchman operators will execute a Powershell command that compiles the keylogger using the [.]NET CSC[.]exe instruction and deploys it into the devices’ memory. The Windows Registry is a place to hide the encoded executable codes and store stolen data until it is exfiltrated to the C2.
Researchers believe the DarkWatchman malware is a noticeably light variant since its JavaScript RAT only measures about 32 kilobytes in size, while the compiled keylogger only takes 8.5 kilobytes of space. This lightness of DarkWatchman is made possible by a set of living of the land scripts, libraries, and binaries and incorporates elusive methods to move data between modules.
Moreover, they also discovered that DarkWatchman has various capabilities such as executing EXE files, Loading DLL files, executing commands remotely, executing WSH commands, executing PowerShell commands, evaluating JavaScript, and remotely uninstalling the remote access trojan and keylogger. Remotely update C2 server, update RATs, and DGA for command-and-control resiliency.
This new malware variant can pose a new threat to its desired targets. Therefore, experts suggest always being mindful of all types of phishing scams since further attacks keep upgrading every day.
