Threat Research

Cyble – Sophisticated DarkWatchMan RAT Spreads Through Phishing Sites

Securonix

DarkWatchman is spread via phishing sites that imitate CryptoPro CSP to deliver the malware, which stores data in the Windows Registry and uses a staged execution flow to deploy a RAT and a keylogger while avoiding disk writes. The campaign targets Russian users and relies on a mix of JS, PowerShell, and Windows Script Host to persist, exfiltrate data, and communicate with C2 servers.
#DarkWatchman #CryptoPro #CRIL #Cyble #Phishing

Keypoints

  • DarkWatchman RAT is delivered through a phishing site mimicking CryptoPro CSP to lure victims.
  • The malware stores keystrokes, clipboard data, and system information in the Windows Registry instead of writing to disk.

MITRE Techniques

  • [T1566] Phishing – The phishing website imitates CryptoPro CSP to trick users into downloading malicious content. Quote: “phishing attacks pose an ongoing and widespread danger… attackers often use fraudulent websites to distribute their malicious software.”
  • [T1059.001] PowerShell – The malware launches PowerShell with hidden execution to bypass user visibility. Quote: “…start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath …”
  • [T1059.005] Windows Script – The JavaScript is executed via Windows Script Host (wscript.exe). Quote: “…start /MIN wscript.exe /E:jscript 144039266 131 ‘C:UsersUser ProfileDesktopCSPCSPSetup.exe’…”
  • [T1564.001] Hide Artifacts: Hidden Window – The command uses hidden windows to avoid user awareness. Quote: “…-W Hidden…”
  • [T1140] Deobfuscate/Decode Files or Information – The keylogger is encrypted/encoded and later decrypted and stored. Quote: “decrypts the keylogger code and stores in registry.”
  • [T1053] Scheduled Task/Job – A task scheduler entry is created to run the copied script at startup. Quote: “task scheduler entry … to run the copied script every time the system starts up.”
  • [T1012] Query Registry – UID is obtained by reading a registry value. Quote: “obtaining a unique identifier (UID) … by accessing a specific registry value… HKEY_LOCAL_MACHINE…MachineGuid.”
  • [T1082] System Information Discovery – The malware collects OS version, locale, computer name, username, domain role, and antivirus. Quote: “collects the victim’s system information, such as operating system version, locale, computer name, username, domain role, and antivirus software.”
  • [T1087] Account Discovery – Checks administrative privileges via registry-based checks. Quote: “Is_admin… determines whether the user has administrative privileges on the system.”
  • [T1056.001] Input Capture: Keylogging – The RAT implements a keylogger and captures keystrokes and clipboard data. Quote: “The keylogger records keystrokes, clipboard data, and smart card information in the registry…”
  • [T1071] Command and Control: Application Layer Protocol – Data is sent to and retrieved from a C2 server; fallback mechanisms exist. Quote: “The RAT regularly retrieves and clears the buffer before transmitting the captured keystrokes to the C&C server.”

Indicators of Compromise

  • [File Hashes] – SHA-256 hashes for sample files: 4e38b7519bf7b482f10e36fb3e000cc2fcbf058730f6b9598a6a7ba5543766d4, bb91d5234f37905f4830061331beab99e51206e7, and 2 more hashes (RAR archive)
  • [File Hashes] – CSPSetup.exe variants: d439a3ce7353ef96cf3556abba1e5da77eac21fdba09d6a4aad42d1fc88c1e3c, be450cd1fab1b708ac1de209224e0d7f7adc0fae, and 1 more hash
  • [File Hashes] – Obfuscated JS file: 706eebdf4d… , 149ce68540a0…, and 1 more hash
  • [File Hashes] – DynamicWrapper.dll: 1b5eb6d4680f7d4d…, 1f87eeb37156d64d…, and 1 more hash
  • [File Names] – CSPSetup.rar, CSPSetup.exe, readme.txt, 291529489 (encrypted keylogger)
  • [Domains] – cryptopro-download.one (phishing site domain used to distribute CSPSetup.exe)

Read more: https://blog.cyble.com/2023/05/05/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/