- Aug 17, 2014
A novel remote access trojan (RAT) being distributed via a Russian-language spear-phishing campaign is using unique manipulation of Windows Registry to evade most security detections, demonstrating a significant evolution in fileless malware techniques.
Dubbed DarkWatchman, the RAT – discovered by researchers at Prevailion’s Adversarial Counterintelligence Team (PACT) – uses the registry on Windows systems for nearly all temporary storage on a machine and thus never writes anything to disk. This allows it “to operate beneath or around the detection threshold of most security tools,” PACT researchers Matt Stafford and Sherman Smith wrote in a report published late Tuesday.
In addition to its fileless persistence, DarkWatchman also uses a “robust” Domain Generation Algorithm (DGA) to identify its command-and-control (C&C) infrastructure and includes dynamic run-time capabilities like self-updating and recompilation, researchers observed.
The new tool manipulates Windows Registry in unique ways to evade security detections and is likely being used by ransomware groups for initial network access.