The DarkWatchman RAT uses the registry for nearly all temporary and permanent storage, it doesn’t write to disk evading most security tools.
The DarkWatchman has been distributed through phishing emails that use malicious ZIP archives (named ‘Накладная №12-6317-3621.zip’ (translated: Invoice #12-6317-3621)) containing an executable set to appear to be a text document.
The executable is a self-installing WinRAR archive that will install the RAT and keylogger.
The malware was used by Russian-speaking actors to target mainly Russian entities.
Upon initial execution, the malware first checks the Windows Registry to determine if DarkWatchman has already been installed. Then the user is shown a message that informs him that “Unknown Format” while installing the payloads in the background.
DarkWatchman uses the Windows Registry fileless storage mechanism for the keylogger, It creates a scheduled task is to use WScript to execute the malware at every user log on.
When the RAT is launched, it executes a PowerShell script which, in turn, compiles the keylogger (using CSC) and executes it.
“The keylogger itself does not communicate with the C2 or write to disk. Instead, it writes it’s keylog to a registry key that it uses as a buffer. During its operation, the RAT scrapes and clears this buffer before transmitting the logged keystrokes to the C2 server.” continues the analysis.
Once launched, DarkWatchmen will execute a PowerShell script that compiles the keylogger using the .NET CSC.exe command and launches it into memory.
“The keylogger itself does not communicate with the C2 or write to disk. Instead, it writes it’s keylog to a registry key that it uses as a buffer. During its operation, the RAT scrapes and clears this buffer before transmitting the logged keystrokes to the C2 server.” states the report.
The malware also stores data to exfiltrate to the registry until it’s transferred to the C2.
DarkWatchman supports the following functionalities:
- Execute EXE files (with or without the output returned)
- Load DLL files
- Execute commands on the command line
- Execute WSH commands
- Execute miscellaneous commands via WMI
- Execute PowerShell commands
- Upload files to the C2 server from the victim machine
- Remotely stop and uninstall the RAT and Keylogger
- Remotely update the C2 server address or call-home timeout
According to the researcher, DarkWatchman was likely developed to support the operations of RaaS affiliates.
(SecurityAffairs – hacking, malware)