DarkWatchman - Fileless Malware

Industry: N/A | Level: Tactical | Source: Prevailion

Research from Prevailion’s Adversarial Counterintelligence Team (PACT) shared findings of a javascript-based RAT dubbed, “DarkWatchman,” that uses Domain Generation Algorithms (DGA) for its Command and Control (C2) infrastructure achieving fileless persistence. The malware is distributed via email in a zip archive and uses the registry for essentially all temporary and permanent storage to avoid having the need to write to disk. The RAT is paired with a C# keylogger and utilizes LOLbins, and if the user has admin permission it deletes shadow copies.

• Anvilogic Scenario: DarkWatchman - Behaviors