Pavilion cybersecurity researchers recently discovered a new malware campaign in which Russian malicious actors are targeting other Russians.
As researchers Matt Stafford and Sherman Smith reported, in early November, the company detected a lightweight but very powerful JavaScript Remote Access Trojan (RAT), which was implemented with a C# keylogger called "DarkWatchman."
It is distributed in the same way as most malware today, via phishing emails. An email will be sent with an attached ZIP file containing what appears to be a text document. In reality, however, the archive is a self-installing WinRAR archive that implements both the RAT and the keylogger.
DarkWatchman is quite cheeky, the researchers explained, because it doesn't store the saved keys on disk, but instead uses the fileless storage of the Windows registry. The Trojan sets up a scheduled task to run every time the victim logs into Windows.
Activation of ransomware attacks
After logging in, you'll run a PowerShell script to compile the keylogger and run it in memory.
"The keylogger is distributed as obfuscated C# source code that is processed and stored in the registry as a Base64-encoded PowerShell command. When the RAT starts, it runs this PowerShell script which in turn compiles the keylogger (using CSC) and runs it,” the two researchers explained.
"The keylogger itself does not communicate with C2 or write to disk. Instead, it writes its keylog to a registry key that it uses as a buffer. While running, the RAT scrapes and clears this buffer before transmitting keystrokes of recorded keys to the C2 server."
Speaking of the C2 server, DarkWatchman uses domain generation algorithms (DGA), generating up to 500 domains every day. This, the researchers explained, makes them highly resistant to domain seizure and resistant to communications surveillance.
DarkWatchman has a very specific use case, according to Prevailion researchers. According to them, the RAT was designed by ransomware operators and distributed to third parties, who are then tasked with compromising target networks. Once the RAT is implemented, the installation of the actual malware becomes much easier.