‘Dark Watchman’ – RAT Evolution in Fileless Malware!

‘Dark Watchman’ – RAT Evolution in Fileless Malware!

A new remote access trojan (RAT) being distributed via a Russian-language spear-phishing campaign is using unique manipulation of Windows Registry to evade most security detections, showing a major evolution in fileless malware techniques.

The new tool manipulates Windows Registry in unique ways to evade security detections & is likely being used by ransomware groups for initial network access.

Temporary Storage

Dubbed Dark Watchman, the RAT – discovered by researchers at Prevailion’s Adversarial Counterintelligence Team (PACT) – uses the registry on Windows systems for nearly all temporary storage on a machine & thus never writes anything to disk.

This allows it “to operate beneath or around the detection threshold of most security tools,” PACT researchers Matt Stafford &  Sherman Smith wrote in a report published late Tues.

In addition to its fileless persistence, Dark Watchman also uses a “robust” Domain Generation Algorithm (DGA) to identify its command-&-control (C&C) infrastructure & includes dynamic run-time capabilities like self-updating & recompilation, researchers observed.

TLS Certificate

PACT’s 1st hint of the RAT’s activity came in Nov. via a TLS certificate on the abuse.ch SSLBL for the domain name “bfdb1290[.]top.”

Researchers found a malicious sample of the RAT linked to the blacklisted certificate via Virus Total, leading to the discovery of another associated domain hosted on a Bulgarian IP address associated with Bulgarian ISP Belcloud LTD’s network.

The PACT team constructed a timeline of activity & eventually identified Dark Watchman being distributed through a spear-phishing campaign using Russian-language emails with the subject line “Free storage expiration notification.” They appeared to come from a sender from the URL “ponyexpress[.]ru.”

Lure Material

“The body of the email … contained additional lure material that one would likely anticipate after reading the subject,” researchers wrote.

“Notably, it referenced the malicious attachment, an expiration of free storage, & claimed to be from Pony Express thus further reinforcing the spoofed sender address.”

Sophisticated Windows Registry Manipulation

The design of Dark Watchman shows that its creators understand Windows Registry, researchers observed. The RAT uses the registry in a “particularly novel” way – “to communicate between abstracted threads of operation, & as both persistent & temporary storage,” they wrote.

“It would appear that the authors of Dark Watchman identified & took advantage of the complexity & opacity of the Windows Registry to work underneath or around the detection threshold of security tools & analysts alike,” researchers wrote.

“Registry changes are commonplace, & it can be difficult to identify which changes are anomalous or outside the scope of normal OS & software functions.”

Temporary Storage Buffer

Dark Watchman also uses the registry for both a temporary storage buffer for information that has yet to be sent to command-&-control (C2), as well as a storage location for the encoded executable code prior to runtime. These features “indicate a robust understanding of software development & the Windows Operating System itself,” researchers wrote.

“The storage of the binary in the registry as encoded text means that Dark Watchman is persistent, yet its executable is never (permanently) written to disk; it also means that Dark Watchman’s operators can update (or replace) the malware every time it’s executed,” they observed.

Ransomware Actors?

Due to certain aspects of its functionality, researchers believe that Dark Watchman is being used by ransomware actors & their affiliates “as a 1st stage initial payload for ransomware deployment,” they wrote.

These aspects include its attempt to delete shadow copies on installation, its search for enterprise targets – for example, smart-card readers & its ability to remotely load additional payloads, they explained.

Also, the RAT’s introduction of a DGA-determined C2 structure provides resiliency & randomness to its communications that suggests ransomware operators are using it to support affiliate activities, they observed.


“One interesting hypothesis is that the ransomware operators could provide something like Dark Watchman to their less technologically capable affiliates, & once the affiliate gains a foothold in the system, it automatically communicates back to domains the operator controls,” researchers wrote.

This type of activity would eliminate the need for affiliates to deploy the ransomware or handle file exfiltration & moving the ransomware operator from a negotiator role to the 1 at the helm of actively controlling the infection, they commented.


It is clear that Dark Watchman’s features show the work of a sophisticated threat player, & represents a key step forward in how attackers can gain initial entry, & then achieve a stealthy persistent presence on Windows systems to steal data & perform other untoward activities, researchers wrote.

“Dark Watchman is significant as it represents an evolution in fileless malware techniques – among other new features – which make it particularly concerning,” they concluded.