DarkWatchman initially surfaced in early November, when the threat actor began disseminating the malware via phishing emails, including malicious ZIP files. These ZIP file attachments include an executable that uses an icon to imitate a text document.
This application is a WinRAR archive that will automatically install the RAT and keylogger. When the user opens the file, the user sees a fake pop-up message that says “Unknown Format,” but the payloads have already been installed in the background.
Rather than keeping the keylogger on disk, the DarkWatchman RAT is launched through a scheduled process every time the user login into Windows. When DarkWatchmen is activated, it will run a PowerShell script that builds the keylogger.
“The keylogger is distributed as obfuscated C# source code that is processed and stored in the registry as a Base64-encoded PowerShell command. When the RAT is launched, it executes this PowerShell script which, in turn, compiles the keylogger (using CSC) and executes it,” Prevailion researchers Sherman Smith and Matt Stafford explained in their report.
“The keylogger itself does not communicate with the C2 or write to disk. Instead, it writes its keylog to a registry key that it uses as a buffer. During its operation, the RAT scrapes and clears this buffer before transmitting the logged keystrokes to the C2 server.”
As a result, the registry is employed not only as a temporary storage area for stolen data until it is exfiltrated to the C2 but also as a place to hide the encoded executable code. The DarkWatchman actors employ DGA (domain generation algorithms) with a seeded list of 10 things to produce up to 500 domains per day for C2 communication and infrastructure. It provides them with exceptional operational resilience while also making communication monitoring and the analysis extremely difficult.
DarkWatchman, according to Prevailion, may have been designed by/for ransomware gangs that require a robust and unobtrusive tool to assist their less-skilled associates. Because the malware can remotely load new payloads, it might be deployed as a covert first-line of defense. After gaining a footing, DarkWatchman may interact with actor-controlled domains, allowing the ransomware operator to assume control and either distribute the ransomware or handle the file exfiltration directly. The affiliate’s position would be reduced to a network infiltrator, while RaaS operations would become more clinical and efficient.