A new RAT named DarkWatchman is reportedly employing sneaky fileless techniques in a spear-phishing campaign. Written in Russian, the malware uses evasion methods to avoid detection and analysis.

What has happened?

According to researchers, the malware uses a resilient domain generation algorithm (DGA) to identify its C2 infrastructure and uses Windows Registry to store its operations that bypass anti-malware engines.
  • One of the victims of this RAT is an unnamed organization in Russia. Additionally, multiple malware artifacts were uploaded to VirusTotal on November 12. 
  • The RAT uses novel methods for on-system activity, fileless persistence, and dynamic run-time capabilities such as self-updating and recompilation.
  • It uses a registry for almost all permanent and temporary storage and never writes anything to disk. This allows it to operate without being detected by most of the security tools.
  • The RAT could be a reconnaissance and initial access tool to be used by ransomware groups.

Infection Vector

  • DarkWatchman spreads using spear-phishing emails with free storage expiration notification for a consignment delivered by Russian shipment company Pony Express.
  • The emails come with an invoice as a ZIP archive loaded with a payload to infect Windows systems.

Additional insights

  • The RAT is both a C#-based keylogger and fileless JavaScript and very lightweight. 
  • It can load DLL files, execute arbitrary binaries, run PowerShell commands and JavaScript code, along with other actions.
  • The JavaScript routine allows persistence by creating a scheduled task that runs the trojan at every user logon.

Ending notes

Sophisticated malware like DarkWatchman are capable of dodging advanced security tools while lying low in infected systems and posing a bigger challenge to organizations. Therefore, keeping abreast with the recent development of threats using threat intelligence and automated tools could save your day.

Cyware Publisher