There is a new malware roaming the internet that is capable of using the Windows Registry to evade detection. From what we have gathered so far, this malware is JavaScript-based, and it’s also a Remote Access Trojan (RAT). Researchers from Prevailion’s Adversarial Counterintelligence Team (PACT) have decided to call this malware DarkWatchman. You see, it takes advantage of the domain generation algorithm (DGA) in order to identify its command-and-control infrastructure and uses the Windows Registry to store its operations. When this is done, DarkWatchman malware is then able to evade most antimalware engines.
DarkWatchman malware uses Windows Registry to evade detection
OK, so the researchers claim it utilizes some interesting methods to perform fileless persistence on system activity along with dynamic run-time abilities.
Researchers Matt Stafford and Sherman Smith claim the malware “represents an evolution in Fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools.”
Who were the targeted victims?
The folks at Prevailion stated the DarkWatchman RAT malware targeted a large organization in Russia. Several malware artifacts were identified, and all of this began back on November 12.2021. Now, since it has persistence and backdoor features, the team at PACT concluded that DarkWatchman could be a reconnaissance tool designed and used by ransomware groups looking to make millions of dollars.
“The storage of the binary in the registry as encoded text means that DarkWatchman is persistent yet its executable is never (permanently) written to disk; it also means that DarkWatchman’s operators can update (or replace) the malware every time it’s executed,” according to the researchers.
At the moment, this RAT malware has yet to be linked to any known hacking group. However, the research team believes the crew behind it is a capable threat actor.