New DarkWatchman Malware Strain Detected in the Windows Registry

Last week, security researchers detected a new strain of malware called ‘DarkWatchman’ surreptitiously hiding in the Windows Registry.

This newly discovered malicious component is a fusion between a JavaScript RAT (Remote Access Trojan) and a C# keylogger. It has a relatively light frame, but DarkWatchman’s destructive potential is not to be taken lightly.

Despite it being a versatile attack vector, the RAT seems to have locked its crosshairs on Russian organizations, according to a technical report.

DarkWatchman was first noticed in early November when perpetrators started to deploy it through phishing emails laced with malicious archived attachments.

Reportedly, the attachments comprise an executable disguised as a text document. The executable is actually a self-extracting WinRar file that will inject a keylogger and a RAT onto the unsuspecting user’s system.

Upon accessing the decoy text document, users receive an ”Unknown Format” error message. In the background, meanwhile, the executable silently deploys the malicious payloads onto the targeted system.

The DarkWatchman is a file-less lightweight malware, seeing as the JavaScript Remote Access Trojan takes up only 32 kBs, while its compiled version measures just 8.5 kBs.

It relies on the Windows Registry storage mechanism so that, instead of storing the keylogger on a disk, the malware creates a scheduled task to execute the RAT each time the user logs into Windows. The malicious component was also seen using a plethora of ”living off the land” libraries, scripts, and binaries while performing covert data transfers between modules.

Launching the DarkWatchman malware triggers the execution of a PowerShell script, which uses the .NET CSC.exe command to compile the keylogger and launch it into memory.

Therefore, the malware uses the registry not only to hide the encoded code of the executable but also as a temporary location to dump harvested data before it’s leaked to the perpetrator.

It’s also worth mentioning that the DarkWatchman actors rely on DGA (Domain Generation Algorithms) combined with a seeded list of 10 items to help them generate up to 500 domains on a daily basis. That way, the malware is more resilient and it’s harder to analyze and monitor its communication.