Security News > 2021 > December > New stealthy DarkWatchman malware hides in the Windows Registry
A new malware named 'DarkWatchman' has emerged in the cybercrime underground, and it's a lightweight and highly-capable JavaScript RAT paired with a C# keylogger.
A stealthy 'file-less' RAT. DarkWatchman is a very light malware, with the JavaScript RAT measuring just 32kb in size and the compiled only taking using 8.5kb of space.
The fascinating aspect of DarkWatchman is its use of the Windows Registry fileless storage mechanism for the keylogger.
Instead of storing the keylogger on disk, a scheduled task is created to launch the DarkWatchman RAT every time the user logs into Windows.
"The keylogger is distributed as obfuscated C# source code that is processed and stored in the registry as a Base64-encoded PowerShell command. When the RAT is launched, it executes this PowerShell script which, in turn, compiles the keylogger and executes it," Prevailion researchers Matt Stafford and Sherman Smith explained in their report.
The registry is not only used as a place to hide the encoded executable code, but also as a temporary location to hold stolen data until it's exfiltrated to the C2. In terms of the C2 communication and infrastructure, the DarkWatchman actors use DGA with a seeded list of 10 items to generate up to 500 domains daily.
News URL
Related news
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- New SteelFox malware hijacks Windows PCs using vulnerable driver (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)