TellYouThePass ransomware revived in Linux, Windows Log4j attacks
Credit card info of 1.8 million people stolen from sports gear sites
CISA urges VMware admins to patch critical flaw in Workspace ONE UEM
All Log4j, logback bugs we know so far and why you MUST ditch 2.15
Meta sues people behind Facebook and Instagram phishing
FBI: State hackers exploiting new Zoho zero-day since October
UK govt shares 585 million passwords with Have I Been Pwned
Log4j vulnerability now used to install Dridex banking malware
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Toksearches.xyz Search Redirect
Remove the Smashapps.net Search Redirect
Remove the Smashappsearch.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
According to a technical report by researchers at Prevailion, the novel RAT is employed by Russian-speaking actors who target mainly Russian organizations.
The first signs of DarkWatchman’s existence appeared in early November as the threat actor began distributing the malware through phishing emails with malicious ZIP attachments.
These ZIP file attachments contain an executable using an icon to impersonate a text document. This executable is a self-installing WinRAR archive that will install the RAT and keylogger.
If opened, the user is shown a decoy popup message that reads “Unknown Format,” but in reality, the payloads have been installed in the background.
It utilizes a large set of “living off the land” binaries, scripts, and libraries, and incorporates stealthy methods to transfer data between modules.
The fascinating aspect of DarkWatchman is its use of the Windows Registry fileless storage mechanism for the keylogger.
Instead of storing the keylogger on disk, a scheduled task is created to launch the DarkWatchman RAT every time the user logs into Windows.
Once launched, DarkWatchmen will execute a PowerShell script that compiles the keylogger using the .NET CSC.exe command and launches it into memory.
“The keylogger is distributed as obfuscated C# source code that is processed and stored in the registry as a Base64-encoded PowerShell command. When the RAT is launched, it executes this PowerShell script which, in turn, compiles the keylogger (using CSC) and executes it,” Prevailion researchers Matt Stafford and Sherman Smith explained in their report.
“The keylogger itself does not communicate with the C2 or write to disk. Instead, it writes its keylog to a registry key that it uses as a buffer. During its operation, the RAT scrapes and clears this buffer before transmitting the logged keystrokes to the C2 server.”
As such, the registry is not only used as a place to hide the encoded executable code, but also as a temporary location to hold stolen data until it’s exfiltrated to the C2.
In terms of the C2 communication and infrastructure, the DarkWatchman actors use DGA (domain generation algorithms) with a seeded list of 10 items to generate up to 500 domains daily.
This gives them excellent operational resilience, and at the same time, makes communication monitoring and analysis very challenging.
DarkWatchman’s functional capabilities are the following:
Prevailion theorizes that DarkWatchman may be tailored by/for ransomware groups that need to empower their less capable affiliates with a potent and stealthy tool.
The malware can load additional payloads remotely, so it could be used as a stealthy first-stage infection for subsequent ransomware deployment.
Since DarkWatchman can communicate to actor-controlled domains after the initial foothold, the ransomware operator could take over and deploy the ransomware or handle the file exfiltration directly.
This approach would degrade the affiliate’s role to that of a network infiltrator and simultaneously make RaaS operations more clinical and efficient.
Emotet starts dropping Cobalt Strike again for faster attacks
Microsoft: These are the building blocks of QBot malware attacks
Emotet now drops Cobalt Strike, fast forwards ransomware attacks
Hackers target biomanufacturing with stealthy Tardigrade malware
TrickBot teams up with Shatak phishers for Conti ransomware attacks
<p>I'm SO glad Linux employs neither a registry NOR self-installing files….. They ARE getting to be some clever little buggers, though, aren't they?</p>
Not a member yet? Register Now
Upgraded to log4j 2.16? Surprise, there’s a 2.17 fixing DoS
Western Digital warns customers to update their My Cloud devices
To receive periodic updates and news from BleepingComputer, please use the form below.
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.