DarkWatchman was initially spotted in early November when the threat actor started distributing the malware via phishing emails with malicious ZIP files; the ZIP files have included an executable file that pretends to be a text document by utilizing an icon. This application is a WinRAR archive that will self-install the RAT and keylogger.

How Does It Work?

When the file is opened, the user sees a fake pop-up message that reads “Unknown Format”.

At this time the payloads have already been deployed in the DarkWatchman as this malware is extremely light, having the JavaScript RAT weighing just 32kb with the compiled version taking up only 8.5kb of space.

As explained by BleepingComputer, the malware makes use of a huge number of “living off the land” binaries, scripts, and libraries, as well as covert techniques for data transmission between modules.

The usage of the Windows Registry fileless storage method for the keylogger is an intriguing component of DarkWatchman.

Rather than saving the keylogger on disk, a scheduled task is built that launches the DarkWatchman RAT every time the user logs into Windows.

When DarkWatchmen is launched, it will run a PowerShell script that compiles the keylogger using the.NET CSC.exe command and runs it into memory.

The keylogger is distributed as obfuscated C# source code that is processed and stored in the registry as a Base64-encoded PowerShell command. When the RAT is launched, it executes this PowerShell script which, in turn, compiles the keylogger (using CSC) and executes it.

The keylogger itself does not communicate with the C2, nor does it write to disk. Instead, it is writing its keylog to a registry key that it is using as a buffer. During its operation, the RAT scrapes and clears this buffer before transmitting the logged keystrokes to the C2 server.


As a result, the registry is employed not only to disguise the encoded executable code but also as a temporary storage area for stolen data until it is exfiltrated to the C2.

In terms of C2 communication and infrastructure, the DarkWatchman players produce up to 500 domains each day using DGA (domain generating algorithms) and a seeded list of ten things.

This provides them with exceptional operational resilience while also making communication monitoring and analysis difficult.

According to the researchers, DarkWatchman is capable of most basic RAT functionality, like executing EXE files (with or without the output returned), loading DLL files, executing commands on the command line, executing WSH commands, executing miscellaneous commands via WMI, executing PowerShell commands, evaluating JavaScript, uploading files to the C2 server from the victim machine, remotely stoping and uninstalling the RAT and Keylogger, remotely updating the C2 server address or call-home timeout.

How Can Heimdal™ Help You?

Heimdal™ is always updated and keeps pace with the latest cybersecurity trends, a quality that perfectly illustrates its products too. Our awarded Threat Prevention Endpoint solution uses Machine Learning, cybercrime intelligence, and artificial intelligence capabilities to help you prevent future threats with 96 % accuracy on your endpoints, a very efficient threat hunting solution that makes malicious URLs, processes, and attacker’s origins no longer anonymous.

Alongside our Threat Prevention Endpoint solution, the Next-Gen Antivirus can help you supervise your mobile device fleet from anywhere in the world and from any Windows-compatible machine, as it allows you to remote-wipe or lock all stolen devices and accurately pinpoint the location of your misplaced smartphones. No more misplaced assets.

Did you enjoy this article? Follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

Case Study: How Can Heimdal™’s Next-Gen Antivirus Help You Stay Safe?

What is a Remote Access Trojan (RAT)?

Security Alert: New Spam Campaign Delivers Flawed Ammyy RAT to Infect Victims’ Computers

Leave a Reply

Your email address will not be published. Required fields are marked *