DarkWatchman - Fileless Malware

Research from Prevailion’s Adversarial Counterintelligence Team (PACT) shared findings of a  javascript-based RAT dubbed, “DarkWatchman,” that uses Domain Generation Algorithms (DGA) for its Command and Control (C2) infrastructure achieving fileless persistence. The malware is distributed via email in a zip archive and uses the registry for essentially all temporary and permanent storage to avoid having the need to write to disk. The RAT is paired with a C# keylogger and utilizes LOLbins, and if the user has admin permission it deletes shadow copies.