DarkWatchman Malware

DarkWatchman is a new remote access Trojan (RAT) based on JavaScript and spread through an aggressive social engineering campaign. This malware employs specific “fileless” techniques through which it evades detection and analysis. Also, it uses a resilient Domain Generation Algorithm (DGA) for the identification of its Command-and-Control infrastructure, while bypassing most anti-malware solutions by using the Windows Registry for nearly all temporary and permanent storage of its threatening operations. DarkWatchman does not write anything on the infected computer’s disk and thus remains undiscoverable for many security scanners.

In addition to the JavaScript RAT component, the new malware also has a C#-based keylogger. The keylogger component of the malware is stored in the Registry to avoid detection, whereby both components are extremely lightweight. Once installed, DarkWatchman can execute a broad range of operations, like running arbitrary binaries, loading DLL files, running JavaScript code and PowerShell commands. It can even uninstall the RAT and keylogger from the compromised machine whenever necessary.

DarkWatchman is distributed through spam emails disguised as “Free storage expiration notification” for a Russian shipment company. A purported invoice in the form of a ZIP archive is attached to the emails, and that attachment contains the harmful payload that infects the system subsequently. Once installed, the RAT provides a gateway for additional infections, and it can even be used as a prelude for ransomware deployments.

The creator of DarkWatchman remains unknown so far. Yet, there are clues that the threat actor responsible for its appearance is not a native English speaker (typographical errors, victims located in Russia and so on). One of the known victims is a large organization based in Russia.