• For Enquiry
  • 847-868-9253
  • 847-868-9208
  • Home
  • Why Choose CIO Landing?
    • Our Team
    • Success Stories
    • ‘8 Things’ We Do Better
    • Partners & Certifications
    • Our Services
  • Industry Expertise
    • Manufacturing
    • Medical
    • Education
    • Financial Services
    • Non-Profit
    • Law Firms
  • IT Solutions
    • Co-Managed Service
    • Managed IT Services
    • IT Support
      • On Demand Services
      • Office Moves & Wiring
      • Security
    • Server Management
    • Backup & Disaster Recovery
    • Cloud Services
    • CIO & IT Consulting
    • Cybersecurity Services
    • VoIP
    • Managed Firewall
    • Microsoft 365
      • Microsoft 365 Plans
        • Small Business
        • Enterprise
        • Education
    • Hardware & Software Sales
    • Email & Spam Protection
  • Resources
    • Free Copy Of New Book
    • Blog
    • Newsletter
    • Video Tips
      • Video Tips Archive
    • Free Cloud Report
    • IT Buyers Guide
    • Cybersecurity Crisis Report
    • Network Audit
    • COVID 19 Resources
    • In The NEWS
    • Online Training
  • About Us
    • Our Mission
    • Leadership
    • Teams
    • Referral Program
    • Press Releases
      • CIO Landing: More Than Just an IT
      • Small businesses can have an IT department too
      • CIO Landing, Inc. has joined forces with Banc Certified Merchant Services (BCMS).
    • Affiliations
    • Careers
      • Job Descriptions
    • FAQs
    • Causes We Support
    • Privacy Policy
    • Terms & Conditions
  • Locations
    • Northfield, IL
    • Northbrook, IL
    • Chicago, IL
    • Miami, FL
  • Support
✕
Hackers Are Using Big Brand Surveys To Scam Victims
January 6, 2022
T-Mobile Reports Scam Calls Have Increased 116 Percent Since 2020
January 8, 2022

New Remote Access Trojan Virus Hides In Windows Registry

January 7, 2022

There’s a new malware strain you should make sure your IT staff is aware of.  Called the Dark Watchman, it is a well-designed and highly capable RAT (Remote Access Trojan) paired with a keylogger written in C#.

First discovered by researchers at Prevailion this piece of malware likes to lurk in the Windows Registry and is used mainly by Russian-speaking threat actors for the purpose of (mostly) targeting Russian organizations.  That’s good news for the rest of us but if you are based in or do business with Russian firms then this one should be of concern.

The malware strain was first spotted in the wilds in early November of this year (2021) when the threat actor behind the code began distributing it via phishing emails that contained a poisoned ZIP file.  The ZIP of course contained an executable disguised as a text document.

If opened the victim gets a decoy popup message that reads “Unknown Format”, but the reality is that by the time the victim sees the message the malicious payload has already been installed in the background.

The malware itself is extremely lightweight measuring just 32kb in size. It is compiled in such a way that it only takes up 8.5kb of space.  It does however incorporate code that allows it to “live off the land” so to speak. Here it borrows what it needs from other binaries scripts and libraries on the target computer. It uses the Windows Registry “fileless storage mechanism” for the keylogger.

In its current form the Dark Watchman can perform the following operations:

  • Execute EXE files (with or without the output returned)
  • Load DLL files
  • Execute commands on the command line
  • Execute WSH commands
  • Execute miscellaneous commands via WMI
  • Execute PowerShell commands
  • Evaluate JavaScript
  • Upload files to the C2 server from the victim machine
  • Remotely stop and uninstall the RAT and Keylogger
  • Remotely update the C2 server address or call-home timeout
  • Update the RAT and Keylogger remotely
  • Set an autostart JavaScript to run on RAT startup
  • A Domain Generation Algorithm (DGA) for C2 resiliency
  • If the user has admin permissions, it deletes shadow copies using vssadmin.exe

All that to say it can do quite a lot of damage if its controllers want it to.  Be on the alert.

Share
29
taylor
taylor

Related posts

March 10, 2025

The Hidden Threat: How Gift Card Scams Are Targeting Businesses Like Yours

Read more
February 11, 2025

CIO Landing Named to CRN’s MSP 500 List for 2025—For the Third Year in a Row!

Read more
December 4, 2024

Unlocking the Power of Windows 11: Tips for Maximum Productivity

Read more
© 2025 All Rights Reserved | Powered by CIO Landing