In recent months, hostile groups have released new malware that enables threat actors to execute remote commands on a targeted system. The virus, which goes by the name “DarkWatchman,” may even cease running and uninstall itself from a machine if it senses that attempts are being made to remove it from the system.
Researchers from Prevailion, a cyber intelligence outfit, have made the virus public in a new paper based on their findings. According to a research by Bleeping Computer, the malware was discovered to be utilized by Russian cybercrime gangs that mostly targeted Russian organizations. DarkWatchman was discovered in phishing emails as a ZIP file in early November, and has been in circulation since then.
Because the virus employs stealth tactics to remain hidden from prying eyes, it is camouflaged as a text document within the ZIP file attachments to avoid detection. When accessed, what seems to be a text file is actually an executable file that, when executed, instals the RAT and keylogger on the target machine. It does this by simultaneously displaying a fake popup message with the words “Unknown Format” and silently installing the payloads on the machine in the background.
For the keylogger, DarkWatchman makes advantage of the Windows Registry file less storage method. The registry is then utilized as a safe haven for the encoded executable code contained within it, as well as a temporary storage area for the information obtained by the keylogger during the hacking operation.
Following that, the logged keystrokes are communicated to a C2 server, also known as a command-and-control server or a cybercriminal’s computer, through the use of DGA (domain generation algorithms).
According to the threat-analysis study, this form of data logs and their transfer makes DarkWatchman far more robust to any type of surveillance than previous versions. A trojan can be used to carry out remote orders from the threat actor, load more payloads onto the system, update these payloads, and even undertake evasion maneuvers by destroying any records of its activity or removing itself from the system altogether once it has been installed.
According to Prevailion, DarkWatchman may have been created by ransomware gangs to be used by its less experienced members. Because the tool is extremely difficult to detect on systems, it may be used simply even by untrained threat actors to target systems and harvest important information from the systems.