DarkWatchman RAT Hides in the Registry to Evade Detection

Published 12/22/21, 9:00am

Security researchers have discovered a new, fileless RAT that evades antimalware and security tools by hiding and operating almost entirely out of the Windows registry.

Dubbed “DarkWatchman”, the RAT was first discovered at an undisclosed Russian organization. The JavaScript-based tool was delivered via the evergreen technique of attaching a zipped file to a phishing email.

Upon unarchiving the ZIP file, the payload executes and drops two components: the extremely lightweight–just 32kb–JavaScript RAT itself, and an even slimmer C#-based keylogger that is immediately stored in the registry to avoid detection.

DarkWatchman establishes C2 using a potent Domain-Generation Algorithm to identify its command server, and it allows an attacker to accomplish all the tasks usually associated with a RAT, such as execute binaries, load DLLs, execute Powershell commands, run JavaScript code, upload files, and even update or uninstall both itself and the keylogger.

What makes DarkWatchman particularly unique is its use of the Windows registry. Because the binary itself is stored in the registry as encoded text, it evades traditional malware detection tools because it is never actually written to disk as a permanent file. It also uses the registry as a rolling buffer for the storage of the keylogger data. As the keylogger records keystrokes, they are written to a registry key that the DarkWatchman RAT scrapes and clears as it sends the data back to the C2 architecture. Because registry changes are commonplace and constantly occurring, it’s easy to see why this technique could get lost in the noise, just a needle in an ever-growing haystack.

While the true end goal of this new RAT is unknown, due to its persistence features and backdoor access DarkWatchman would likely be a precursor to ransomware activities. Because of its extensive capabilities and novel methods for avoiding detection, an attacker using DarkWatchman would be able to bypass the need for using an affiliate to insert ransomware in an environment, instead handling the deployment and exfiltration of data themselves. It would also give a ransomware operator much more visibility into an environment post-encryption, giving them more control and insight into the victim’s response.

DarkWatchman is not yet attributed to any particular hacking group or ransomware gang, and as such is still somewhat of a dark horse (pun intended). Its emergence is yet another step in the ever-escalating arms race between attackers and defenders, taking advantage of a common blind spot in security event collection. It seems clear from the advanced feature set and novel execution techniques that this is the work of a sophisticated threat actor.

Next Steps

Due to the relatively fresh nature of the DarkWatchman RAT, not much is currently known about its creator’s end goals or where it may turn up next. As always, it’s advisable to keep your employees trained and aware of the dangers of well-crafted social engineering and phishing campaigns, utilize good email scanning and security tools, and log as much event data as is reasonably possible for your environment and team. While registry events are a dime a gross, scoping the impact of a novel RAT like DarkWatchman may hinge on collecting and processing registry event data.