DarkWatchman
DarkWatchman is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
DarkWatchman can use WMI to execute commands.[1] |
|
| Enterprise | T1005 | 从本地系统获取数据 |
DarkWatchman can collect files from a compromised host.[1] |
|
| Enterprise | T1036 | 伪装 |
DarkWatchman has used an icon mimicking a text file to mask a malicious executable.[1] |
|
| Enterprise | T1112 | 修改注册表 |
DarkWatchman can modify Registry values to store configuration strings, keylogger, and output of components.[1] |
|
| Enterprise | T1129 | 共享模块 |
DarkWatchman can load DLLs.[1] |
|
| Enterprise | T1573 | .002 | 加密通道: Asymmetric Cryptography |
DarkWatchman can use TLS to encrypt its C2 channel.[1] |
| Enterprise | T1568 | .002 | 动态解析: Domain Generation Algorithms |
DarkWatchman has used a DGA to generate a domain name for C2.[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
DarkWatchman has the ability to self-extract as a RAR archive.[1] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
DarkWatchman can execute PowerShell commands and has used PowerShell to execute a keylogger.[1] |
| .003 | 命令与脚本解释器: Windows Command Shell |
DarkWatchman can use |
||
| .007 | 命令与脚本解释器: JavaScript |
DarkWatchman uses JavaScript to perform its core functionalities.[1] |
||
| Enterprise | T1120 | 外围设备发现 |
DarkWatchman can list signed PnP drivers for smartcard readers.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
DarkWatchman uses HTTPS for command and control.[1] |
| Enterprise | T1010 | 应用窗口发现 |
DarkWatchman reports window names along with keylogger information to provide application context.[1] |
|
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
DarkWatchman can stage local data in the Windows Registry.[1] |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
DarkWatchman encodes data using hexadecimal representation before sending it to the C2 server.[1] |
| Enterprise | T1083 | 文件和目录发现 |
DarkWatchman has the ability to enumerate file and folder names.[1] |
|
| Enterprise | T1012 | 查询注册表 |
DarkWatchman can query the Registry to determine if it has already been installed on the system.[1] |
|
| Enterprise | T1217 | 浏览器信息发现 |
DarkWatchman can retrieve browser history.[1] |
|
| Enterprise | T1027 | .004 | 混淆文件或信息: Compile After Delivery |
DarkWatchman has used the |
| .010 | 混淆文件或信息: Command Obfuscation |
DarkWatchman has used Base64 to encode PowerShell commands.[1] |
||
| .011 | 混淆文件或信息: Fileless Storage |
DarkWatchman can store configuration strings, keylogger, and output of components in the Registry.[1] |
||
| .013 | 混淆文件或信息: Encrypted/Encoded File |
DarkWatchman has been delivered as compressed RAR payloads in ZIP files to victims.[1] |
||
| Enterprise | T1070 | 移除指标 |
DarkWatchman can uninstall malicious components from the Registry, stop processes, and clear the browser history.[1] |
|
| .004 | File Deletion |
DarkWatchman has been observed deleting its original launcher after installation.[1] |
||
| Enterprise | T1614 | 系统位置发现 |
DarkWatchman can identity the OS locale of a compromised host.[1] |
|
| Enterprise | T1082 | 系统信息发现 |
DarkWatchman can collect the OS version, system architecture, and computer name.[1] |
|
| Enterprise | T1490 | 系统恢复抑制 |
DarkWatchman can delete shadow volumes using |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
DarkWatchman has collected the username from a victim machine.[1] |
|
| Enterprise | T1124 | 系统时间发现 |
DarkWatchman can collect time zone information and system |
|
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
DarkWatchman can search for anti-virus products on the system.[1] |
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
DarkWatchman can track key presses with a keylogger module.[1] |
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
DarkWatchman has been delivered via spearphishing emails that contain a malicious zip file.[1] |
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
DarkWatchman has created a scheduled task for persistence.[1] |