There’s a new malware strain you should make sure your IT staff is aware of. Called the Dark Watchman, it is a well-designed and highly capable RAT (Remote Access Trojan) paired with a keylogger written in C#.
First discovered by researchers at Prevailion this piece of malware likes to lurk in the Windows Registry and is used mainly by Russian-speaking threat actors for the purpose of (mostly) targeting Russian organizations. That’s good news for the rest of us but if you are based in or do business with Russian firms then this one should be of concern.
The malware strain was first spotted in the wilds in early November of this year (2021) when the threat actor behind the code began distributing it via phishing emails that contained a poisoned ZIP file. The ZIP of course contained an executable disguised as a text document.
If opened the victim gets a decoy popup message that reads “Unknown Format”, but the reality is that by the time the victim sees the message the malicious payload has already been installed in the background.
The malware itself is extremely lightweight measuring just 32kb in size. It is compiled in such a way that it only takes up 8.5kb of space. It does however incorporate code that allows it to “live off the land” so to speak. Here it borrows what it needs from other binaries scripts and libraries on the target computer. It uses the Windows Registry “fileless storage mechanism” for the keylogger.
In its current form the Dark Watchman can perform the following operations:
Execute EXE files (with or without the output returned)
Load DLL files
Execute commands on the command line
Execute WSH commands
Execute miscellaneous commands via WMI
Execute PowerShell commands
Evaluate JavaScript
Upload files to the C2 server from the victim machine
Remotely stop and uninstall the RAT and Keylogger
Remotely update the C2 server address or call-home timeout
Update the RAT and Keylogger remotely
Set an autostart JavaScript to run on RAT startup
A Domain Generation Algorithm (DGA) for C2 resiliency
If the user has admin permissions, it deletes shadow copies using vssadmin.exe
All that to say it can do quite a lot of damage if its controllers want it to. Be on the alert.