DarkWatchman: This advanced fileless malware only writes data in Windows Registry thus can’t be detected by security solutions

Prevailion security specialists report that a newly identified spear phishing campaign is distributing a new remote access Trojan (RAT) capable of manipulating Windows Registry in order to evade the most advanced security measures on the affected system.

Identified as DarkWatchman, this Trojan uses the registry on Windows systems for almost all temporary storage on an affected machine, so it does not require writing anything to disk; in this way, hackers can go unnoticed by the compromised system. DarkWatchman is also characterized by the use of a very strong domain generation algorithm (DGA), with which you can identify your C&C infrastructure and include dynamic runtime capabilities such as self-updating and collection.

The experts first distinguished malicious activity linked to this RAT in late November, when they identified a TLS certificate in the SSLBL abuse.ch for the domain name bdfdb1290.top. Using VirusTotal, experts found a malicious sample of the Trojan and eventually found another associated domain, hosted on an IP address in Bulgaria.

The way malware takes advantage of Windows Registry shows that its developers know the affected implementation very well, experts say: “DarkWatchman uses the registry in a particularly novel way, exploiting it to communicate between operation threads and as persistent and temporary storage.”

In addition, DarkWatchman abuses the registry to use it as a temporary storage buffer for information that has not yet been sent to the C&C server, also exploiting it as a storage location for executable code encoded before runtime. These are indications of what the researchers called “a solid understanding of software development and the Windows operating system itself.”

The characteristics of this RAT lead researchers to believe that some hacking groups are using DarkWatchman as an initial payload in ransomware attacks. Some indications of this activity include the attempt to remove shadow copies from the affected system, its apparent focus on business goals, and its ability to add additional payloads remotely.

Whatever the main goal of the operators, it is clear that DarkWatchman is the result of the work of sophisticated threat actors, becoming one of the most striking innovations of the cybercriminal community recently detected.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.