Initially spread through phishing campaigns, DarkWatchman contains a RAT and a keylogger. This is because it’s so lightweight and stealthy, say researchers. The DarkWatchman uses Windows registry’s file-less storage and does all its operations covertly to avoid detection.
New RAT in Wild
Prevailion researchers detailed a newly found RAT named DarkWatchman, whose initial footprints were seen among Russian-speaking hackers. Since November, this has been widely distributed in the underground forums and is so lightweight and stealthy, say researchers. As per their report, the DarkWatchman is initially spread through phishing emails containing a ZIP file with a text document icon. While this is to impersonate, the ZIP file actually is an executable of WinRAR archive that can self-install the said RAT and a keylogger. Also Read- Sennheiser Data Leak If an unsuspecting user opens the file, it shows a decoy message popup as “Unknown Format” while installing the payload in the background. Once in, the RAT creates a scheduled task in the Windows Registry to run every time the victim enters the Windows machine. This makes it go stealthy, as it’s not installing itself in the local storage. However, while being stealthy, the DarkWatchman RAT is lightweight too. It weighs 32KB, with the complied version weighing just an 8.5KB storage. Aside from remote accessing capabilities, the DarkWatchman also comes with a C# keylogger. And if performs its duty in a great way. After capturing the keystrokes (data), the keylogger doesn’t directly communicate with the hacker’s C2. Instead, it used the Windows Registry’s file-less storage mechanism for temporarily storing and passing the stolen data. Also, the makers of DarkWatchman are found using DGA (domain generation algorithms) with a seeded list of 10 items for generating up to 500 domains daily, making it harder for red hats to track them. Researchers said this RAT is tailored for ransomware groups, relying less on middlemen like affiliates for initial access.