Security News > 2021 > December > ‘DarkWatchman’ RAT Shows Evolution in Fileless Malware

‘DarkWatchman’ RAT Shows Evolution in Fileless Malware
2021-12-16 13:45

A novel remote access trojan being distributed via a Russian-language spear-phishing campaign is using unique manipulation of Windows Registry to evade most security detections, demonstrating a significant evolution in fileless malware techniques.

Dubbed DarkWatchman, the RAT - discovered by researchers at Prevailion's Adversarial Counterintelligence Team - uses the registry on Windows systems for nearly all temporary storage on a machine and thus never writes anything to disk.

In addition to its fileless persistence, DarkWatchman also uses a "Robust" Domain Generation Algorithm to identify its command-and-control infrastructure and includes dynamic run-time capabilities like self-updating and recompilation, researchers observed.

"The storage of the binary in the registry as encoded text means that DarkWatchman is persistent yet its executable is never written to disk; it also means that DarkWatchman's operators can update the malware every time it's executed," they observed.

"One interesting hypothesis is that the ransomware operators could provide something like DarkWatchman to their less technologically capable affiliates, and once the affiliate gains a foothold in the system, it automatically communicates back to domains the operator controls," researchers wrote.

"DarkWatchman is significant as it represents an evolution in fileless malware techniques - among other novel features - which make it particularly concerning," they said.


News URL

https://threatpost.com/darkwatchman-rat-evolution-fileless-malware/177091/