New DarkWatchman malware spread through phishing emails on Windows machines: What we know so far

New DarkWatchman malware spread through phishing emails on Windows machines: What we know so far

A new malware, in circulation since early November, has been detected by cybersecurity firm Prevailion. The firm warns that the malware takes little to no space on a targeted system and is hence very hard to detect. Once in place, it can execute remote commands and transmit valuable data to the threat actor.

(Image: Reuters) (Image: Reuters)
Story highlights
  • DarkWatchman is the latest malware being spread in ZIP attachments with phishing emails.
  • It uses a host of stealth mechanisms to avoid detection.
  • It can even install more payloads on an infected system and update them remotely.

New malware is in circulation by malicious groups that enable threat actors to run remote commands on a target system. Named "DarkWatchman" the malware can even stop running and uninstall itself from a system if it detects that attempts are being made to fish it out.

The malware is essentially a JavaScript RAT (Remote Access Trojan) that also contains a C# keylogger. Meant for stealth attacks on a system, the JavaScript RAT measures only about 32kb in size and uses scripts that specifically allow it to operate without detection. Once it infects a system, it is capable of running remote commands to transfer data to the threat actors.

The malware has been made public in a new report by researchers at Prevailion, a cyber intelligence firm. As highlighted by a Bleeping Computer report, the agency found the trojan being used by Russian cybercrime groups that mainly target Russian organisations. DarkWatchman was first detected in phishing emails as a ZIP attachment, in circulation since early November.

Since the malware utilises stealth mechanisms to hide from attentive eyes, it comes disguised as a text document within the ZIP file attachments. What looks like a text file is in fact an executable file that installs the RAT and keylogger on the target system once opened. Simultaneously, it shows a decoy popup message of "Unknown Format," while it secretly installs the payloads on the system in the background.

DarkWatchman uses Windows Registry fileless storage mechanism for the keylogger. The registry is then used as a hiding place for the encoded executable code within it, as well as a temporary location for the data stolen by the keylogger. The logged keystrokes are then transmitted to the C2 server, a command-and-control server or a cybercriminal's computer, using DGA (domain generation algorithms).

The threat-analysis report mentions that this type of data logs and their transmission makes DarkWatchman much more resilient to any type of monitoring. Once in place, the trojan can execute remote commands by the threat actor, load more payloads onto the system, update these payloads and even conduct evasive manoeuvres by deleting any logs of its activities or uninstalling from the system completely.

As per Prevailion, DarkWatchman may have been brought to use by ransomware groups for their less capable members. Since the tool is very hard to detect on systems, it can be used easily even by inexperienced threat actors to target systems and extract valuable information.