New Remote Access Trojan Virus Hides In Windows Registry

Table of Contents

By /Published On: January 7th, 2022/Categories: Cyber Security/2 min read/

Share This Story, Choose Your Platform!

There’s a new malware strain you should make sure your IT staff is aware of.  Called the Dark Watchman, it is a well-designed and highly capable RAT (Remote Access Trojan) paired with a keylogger written in C#.

First discovered by researchers at Prevailion this piece of malware likes to lurk in the Windows Registry and is used mainly by Russian-speaking threat actors for the purpose of (mostly) targeting Russian organizations.  That’s good news for the rest of us but if you are based in or do business with Russian firms then this one should be of concern.

The malware strain was first spotted in the wilds in early November of this year (2021) when the threat actor behind the code began distributing it via phishing emails that contained a poisoned ZIP file.  The ZIP of course contained an executable disguised as a text document.

If opened the victim gets a decoy popup message that reads “Unknown Format”, but the reality is that by the time the victim sees the message the malicious payload has already been installed in the background.

The malware itself is extremely lightweight measuring just 32kb in size. It is compiled in such a way that it only takes up 8.5kb of space.  It does however incorporate code that allows it to “live off the land” so to speak. Here it borrows what it needs from other binaries scripts and libraries on the target computer. It uses the Windows Registry “fileless storage mechanism” for the keylogger.

In its current form the Dark Watchman can perform the following operations:

  • Execute EXE files (with or without the output returned)
  • Load DLL files
  • Execute commands on the command line
  • Execute WSH commands
  • Execute miscellaneous commands via WMI
  • Execute PowerShell commands
  • Evaluate JavaScript
  • Upload files to the C2 server from the victim machine
  • Remotely stop and uninstall the RAT and Keylogger
  • Remotely update the C2 server address or call-home timeout
  • Update the RAT and Keylogger remotely
  • Set an autostart JavaScript to run on RAT startup
  • A Domain Generation Algorithm (DGA) for C2 resiliency
  • If the user has admin permissions, it deletes shadow copies using vssadmin.exe

All that to say it can do quite a lot of damage if its controllers want it to.  Be on the alert.

Request Your Free Consultation

Want to learn more about integrating Nexigen IT support services for your business?

  • Schedule a 30-minute consultation with our expert team

  • Review your personalized IT roadmap

  • Refine services and add-ons to finalize your predictable, no-waste plan

  • Breathe. You’ve got IT under control.

Complete the form below, and we’ll be in touch to schedule a free assessment.

First Name(Required)
This field is for validation purposes and should be left unchanged.