Have you heard of Dark Watchman?

There's a new malware strain you should make sure your IT staff is aware of.  Called the Dark Watchman, it is a well-designed and highly capable RAT, or Remote Access Trojan, paired with a keylogger written in C#.

First discovered by researchers at Prevailion this piece of malware likes to lurk in the Windows Registry and is used mainly by Russian-speaking threat actors for the purpose of (mostly) targeting Russian organizations.  That's good news for the rest of us but if you are based in or do business with Russian firms then this one should be of concern.


How do you recognize the malware?

The malware strain was first spotted in the wild in early November when the threat actor behind the code began distributing it via phishing emails that contained a poisoned ZIP file.  The ZIP of course contained an executable disguised as a text document.

If opened the victim gets a decoy popup message that reads "Unknown Format", but the reality is that by the time the victim sees the message the malicious payload has already been installed in the background.

The malware itself is extremely lightweight, measuring just 32kb in size. It is compiled in such a way that it only takes up 8.5kb of space.  It does, however, incorporate code that allows it to "live off the land" so to speak. Here it borrows what it needs from other binaries scripts and libraries on the target computer. It uses the Windows Registry "fileless storage mechanism" for the keylogger.


Dark Watchman can perform the following operations

  • Execute EXE files (with or without the output returned)
  • Load DLL files
  • Execute commands on the command line
  • Execute WSH commands
  • Execute miscellaneous commands via WMI
  • Execute PowerShell commands
  • Evaluate JavaScript
  • Upload files to the C2 server from the victim machine
  • Remotely stop and uninstall the RAT and Keylogger
  • Remotely update the C2 server address or call-home timeout
  • Update the RAT and Keylogger remotely
  • Set an autostart JavaScript to run on RAT startup
  • A Domain Generation Algorithm (DGA) for C2 resiliency
  • If the user has admin permissions, it deletes shadow copies using vssadmin.exe


My perspective

All that to say it can do quite a lot of damage if its controllers want it to.  Be on the alert.


You don't want to have a "Houston, we have a problem" moment


By Denis Wilson

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT Support

Thanks for reading this post. I always take into mind that your time and attention are precious. And these posts need to be timely, to the point, and short.

For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. You can also find me on LinkedIn, Facebook, and Twitter

I am also a published author and speaker on cloud computing, work-at-home, and cybersecurity. I work extensively with business and professional associations to provide free small business technology education programs.


Contact me if you would like me to speak to your association