DarkWatchman RAT Dissection
Share this:
A Russian based website CryptoPro CSP has been imitated by the attackers to spread the DarkWatchman RAT.
The phishing campaign primarily targets Russian users and was first detected in 2021.
Once the victim visit the website, they are prompted to download a malicious file named CSPSetup[.]rar. To extract the content, a password is provided, luring victims to think secure.
The extracted files are readme[.]txt file, written in Russian, contains an archive that suggests the RAT specifically targets users in Russia and the CSPSetup[.]exe file is an SFX archive file that drops DarkWatchman RAT. Simultaneously, it initiates a sequence of additional activities on the infected machine.
Upon execution, the DarkWatchman RAT drops a JavaScript file named 144039266 in the %temp% location. It then runs this file using two commands.
- The first command uses PowerShell to add the C:\ drive as a path to evade detection by Windows Defender.
- The second command uses Windows Script Host to run the JavaScript file, 144039266.
The CSPSetup[.]exe file also drops a file named 291529489, which is an encrypted keylogger that captures keystrokes, clipboard data, and smart card information, saves it in the registry to minimize the risk of detection.
Using Windows registry to store the stolen data allows it to evade detection by traditional file-based scanning systems. This innovative tactic places it in the category of fileless malware and indicates that the operators are highly sophisticated.
To stay safe from such threats, organizations should be aware of these tactics and deploy multi-layered security measures, such as firewall protection, advanced behavior-based anti-malware software, and endpoint security solutions.
This research was documented by researchers from Cyble.
