The DarkWatchman Malware Was Found Hidden in Windows Registry
DarkWatchman was initially spotted in early November when the threat actor started distributing the malware via phishing emails with malicious ZIP files; the ZIP files have included an executable file that pretends to be a text document by utilizing an icon. This application is a WinRAR archive that will self-install the RAT and keylogger.
How Does It Work?
When the file is opened, the user sees a fake pop-up message that reads “Unknown Format”.
As explained by BleepingComputer, the malware makes use of a huge number of “living off the land” binaries, scripts, and libraries, as well as covert techniques for data transmission between modules.
The usage of the Windows Registry fileless storage method for the keylogger is an intriguing component of DarkWatchman.
Rather than saving the keylogger on disk, a scheduled task is built that launches the DarkWatchman RAT every time the user logs into Windows.
When DarkWatchmen is launched, it will run a PowerShell script that compiles the keylogger using the.NET CSC.exe command and runs it into memory.
The keylogger is distributed as obfuscated C# source code that is processed and stored in the registry as a Base64-encoded PowerShell command. When the RAT is launched, it executes this PowerShell script which, in turn, compiles the keylogger (using CSC) and executes it.
The keylogger itself does not communicate with the C2, nor does it write to disk. Instead, it is writing its keylog to a registry key that it is using as a buffer. During its operation, the RAT scrapes and clears this buffer before transmitting the logged keystrokes to the C2 server.
As a result, the registry is employed not only to disguise the encoded executable code but also as a temporary storage area for stolen data until it is exfiltrated to the C2.
In terms of C2 communication and infrastructure, the DarkWatchman players produce up to 500 domains each day using DGA (domain generating algorithms) and a seeded list of ten things.
This provides them with exceptional operational resilience while also making communication monitoring and analysis difficult.
How Can Heimdal™ Help You?
Heimdal™ is always updated and keeps pace with the latest cybersecurity trends, a quality that perfectly illustrates its products too. Our awarded Threat Prevention Endpoint solution uses Machine Learning, cybercrime intelligence, and artificial intelligence capabilities to help you prevent future threats with 96 % accuracy on your endpoints, a very efficient threat hunting solution that makes malicious URLs, processes, and attacker’s origins no longer anonymous.
Alongside our Threat Prevention Endpoint solution, the Next-Gen Antivirus can help you supervise your mobile device fleet from anywhere in the world and from any Windows-compatible machine, as it allows you to remote-wipe or lock all stolen devices and accurately pinpoint the location of your misplaced smartphones. No more misplaced assets.