Malicious Email Campaign Spreading Data Stealing Trojans Spotted in Wild

Prevailion researchers have detailed a new remote access trojan named DarkWatchman, that’s been distributed in Russian-speaking underground forums lately.

While it could be any other data-stealing and a backdoor-setting RAT, researchers emphasized on DarkWatchman’s capabilities of being so stealthy, and lightweight. Here’s more about it;

DarkWatchman: A New RAT in Wild

To most of the cyber attacks out there, simple Remote Access Trojans are the primary source. And having them installed on victims’ machines for main threat actors are the affiliates, who either exploit a vulnerability or spread malware through phishing emails. DarkWatchman too starts in the same way.

As the researchers at Prevailion spotted, a new RAT named DarkWatchman is in the wild since November this year. It was seen distributed actively in Russian-speaking underground forums and is used to target Russian victims.

Initially spread through phishing emails, the threat actors are embedding an executable in the phishing email with doc interface, impersonating it as a legitimate file. When a user clicks on it, a pop-up message saying “Unknown format” appears, but the executable unpacks in the background.

DarkWatcher Phishing email
DarkWatcher Phishing email

The executable is a WinRAR archive file, having two elements – a RAT and a C# keylogger. Combining both forms the DarkWatchman, which relies on the Windows registry for its operations. As detailed by the researchers, the DarkWatchman is lightweight, having on 32KB weight and when compiled, it reduces to just 8.5KB.

Besides being so thin, DarkWatchman is stealthy too. Once it enters the system, it creates a scheduled task in the Windows Registry to run itself whenever the user logs into his Windows machine, thereby executing in system memory rather than in local storage.

Apart from this file-less storage, the keylogger that recorded data will not directly send it to the hacker’s C2. Instead, it relies on the Windows registry again for temporarily storing and passing the data to several domains created by the hacker, using DGA (domain generation algorithms).

Researchers said the DarkWatchman is a tailor-made RAT for ransomware operators, who can use it to rely less on affiliates, as they’re the ones who provide initial backdoor access and keylogging features as DarkWatchman does.

Other Trending News:-  News


Please enter your comment!
Please enter your name here