A phishing website has been identified that imitates a renowned Russian website CryptoPro CSP. This fake website is being used by attackers to spread the DarkWatchman RAT. This malware is said to be a lightweight yet highly capable malware, providing attackers remote control over infected machines.
DarkWatchMan’s attack sequence
Cyble reported that the phishing website, which primarily targets Russian users, was first detected in 2021.
- When potential targets visit the website, they are prompted to download a malicious file named CSPSetup[.]rar. To extract the content, a password is provided, which gives a false sense of security to the user.
- Archive extraction yields two files: CSPSetup[.]exe and readme[.]txt. The readme[.]txt file, written in Russian, contains an archive that suggests the RAT specifically targets users in Russia.
- The CSPSetup[.]exe file is an SFX archive file that drops DarkWatchman RAT. Simultaneously, it initiates a sequence of additional activities on the infected machine.
Post-infection activities
Upon execution, the DarkWatchman RAT drops a JavaScript file named 144039266 in the %temp% location. It then runs this file using two commands. The first command uses PowerShell to add the C:\ drive as a path to evade detection by Windows Defender. The second command uses Windows Script Host to run the JavaScript file, 144039266.
In addition, the CSPSetup[.]exe file drops a file named 291529489, which is an encrypted keylogger. This captures keystrokes, clipboard data, and smart card information. However, instead of writing the captured data to disk, it saves it in the registry to minimize the risk of detection.
Conclusion
Using Windows registry to store the stolen data allows it to evade detection by traditional file-based scanning systems. This innovative tactic places it in the category of fileless malware and indicates that the operators are highly sophisticated. To stay safe from such threats, organizations should be aware of these tactics and deploy multi-layered security measures, such as firewall protection, advanced behavior-based anti-malware software, and endpoint security solutions.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/ddce_shutterstock_668772514.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/dc08_shutterstock_2190600601.jpg)
