There’s a new malware strain you should make sure your IT staff is aware of. Called the Dark Watchman, it is a well-designed and highly capable RAT (Remote Access Trojan) paired with a keylogger written in C#.
First discovered by researchers at Prevailion this piece of malware likes to lurk in the Windows Registry and is used mainly by Russian-speaking threat actors for the purpose of (mostly) targeting Russian organizations. That’s good news for the rest of us but if you are based in or do business with Russian firms then this one should be of concern.
The malware strain was first spotted in the wilds in early November of this year (2021) when the threat actor behind the code began distributing it via phishing emails that contained a poisoned ZIP file. The ZIP of course contained an executable disguised as a text document.
If opened the victim gets a decoy popup message that reads “Unknown Format”, but the reality is that by the time the victim sees the message the malicious payload has already been installed in the background.
The malware itself is extremely lightweight measuring just 32kb in size. It is compiled in such a way that it only takes up 8.5kb of space. It does however incorporate code that allows it to “live off the land” so to speak. Here it borrows what it needs from other binaries scripts and libraries on the target computer. It uses the Windows Registry “fileless storage mechanism” for the keylogger.
In its current form the Dark Watchman can perform the following operations:
All that to say it can do quite a lot of damage if its controllers want it to. Be on the alert.