DarkWatchman is the latest malware being spread in ZIP attachments

In recent months, hostile groups have released new malware that enables threat actors to execute remote commands on a targeted system. The virus, which goes by the name “DarkWatchman,” may even cease running and uninstall itself from a machine if it senses that attempts are being made to remove it from the system.

The virus is primarily a JavaScript RAT (Remote Access Trojan) that also includes a C# keylogger. The malware is distributed through the Internet. The JavaScript RAT, which is intended for stealth assaults on a system, is just approximately 32kb in size and makes use of scripts that are particularly designed to allow it to run without being detected. Following an infection, it is capable of executing remote instructions in order to pass information to the threat actors.

Researchers from Prevailion, a cyber intelligence outfit, have made the virus public in a new paper based on their findings. According to a research by Bleeping Computer, the malware was discovered to be utilized by Russian cybercrime gangs that mostly targeted Russian organizations. DarkWatchman was discovered in phishing emails as a ZIP file in early November, and has been in circulation since then.

Because the virus employs stealth tactics to remain hidden from prying eyes, it is camouflaged as a text document within the ZIP file attachments to avoid detection. When accessed, what seems to be a text file is actually an executable file that, when executed, instals the RAT and keylogger on the target machine. It does this by simultaneously displaying a fake popup message with the words “Unknown Format” and silently installing the payloads on the machine in the background.

For the keylogger, DarkWatchman makes advantage of the Windows Registry file less storage method. The registry is then utilized as a safe haven for the encoded executable code contained within it, as well as a temporary storage area for the information obtained by the keylogger during the hacking operation.

Following that, the logged keystrokes are communicated to a C2 server, also known as a command-and-control server or a cybercriminal’s computer, through the use of DGA (domain generation algorithms).

According to the threat-analysis study, this form of data logs and their transfer makes DarkWatchman far more robust to any type of surveillance than previous versions. A trojan can be used to carry out remote orders from the threat actor, load more payloads onto the system, update these payloads, and even undertake evasion maneuvers by destroying any records of its activity or removing itself from the system altogether once it has been installed.

According to Prevailion, DarkWatchman may have been created by ransomware gangs to be used by its less experienced members. Because the tool is extremely difficult to detect on systems, it may be used simply even by untrained threat actors to target systems and harvest important information from the systems.

Founder and Chief Editor of Network Herald. A passionate Blogger, Content Writer from Mumbai. Loves to cover every current affair in terms of technology. He writes about the how-to guides, tips and tricks, top list articles.

Related Articles

Leave A Reply

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Stay Connected