New DarkWatchman RAT Campaign Leverages a Popular Russian Cryptography Site
Category: Malware Campaign | Industry: Global | Level: Tactical | Source: Cyble
An increase in samples of the DarkWatchman Remote Access Trojan (RAT) has been observed, with the latest campaign involving threat actors mimicking the popular Russian cryptography site CryptoPro CSP. Cyble Research and Intelligence Labs (CRIL) discovered the DarkWatchman campaign seeking to obtain personal and sensitive information from unsuspecting victims. Users navigating to the phishing page download a zip archive containing a text and executable file to install the RAT. Based on the language written within the text file, the campaign, like other past DarkWatchman infections, is targeting Russian users.
- DarkWatchman - Behaviors
Anvilogic Use Cases:
- Modify Windows Defender
- Wscript/Cscript Execution
- Inhibit System Recovery Commands