New DarkWatchman RAT Campaign Leverages a Popular Russian Cryptography Site

An increase in samples of the DarkWatchman Remote Access Trojan (RAT) has been observed, with the latest campaign involving threat actors mimicking the popular Russian cryptography site CryptoPro CSP. Cyble Research and Intelligence Labs (CRIL) discovered the DarkWatchman campaign seeking to obtain personal and sensitive information from unsuspecting victims. Users navigating to the phishing page download a zip archive containing a text and executable file to install the RAT. Based on the language written within the text file, the campaign, like other past DarkWatchman infections, is targeting Russian users.

"DarkWatchman is a Remote Access Trojan (RAT) type enabling attackers to gain remote control over compromised systems and extract sensitive data. Its malicious capabilities include capturing keystrokes, clipboard data, and system information. Notably, "DarkWatchman avoids writing the captured data to disk and instead stores it in the registry, thereby minimizing the risk of detection," said CRIL. When the executable file from the zip archive is executed a JavaScript file, which is the DarkWatchman RAT, is dropped into the TEMP folder. Commands run by the executable add an exclusion path in Windows Defender with PowerShell, calls wscript to execute a JavaScript, and an encrypted keylogger is dropped onto the host. DarkWatchman RAT is configured following the launch of the JavaScript with a function that initializes global variables and configures the Remote Access Trojan (RAT), as well as installs a keylogger.