From b81ac7f01da403e653daa27ce7a1a6acdc05ec20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=BCrgen=20L=C3=B6hel?= Date: Fri, 17 Dec 2021 07:16:56 -0600 Subject: [PATCH] Adds DarkWatchman RAT MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jürgen Löhel --- clusters/rat.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/clusters/rat.json b/clusters/rat.json index dd0ae78..4a01f58 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3486,7 +3486,18 @@ }, "uuid": "833ed94d-97c1-4b57-9634-c27bf42eb867", "value": "Guildma" + }, + { + "description": "In late November, Prevailion’s Adversarial Counterintelligence Team (PACT) identified what appeared to be a malicious javascript-based Remote Access Trojan (RAT) that uses a robust Domain Generation Algorithm (DGA) to identify its Command and Control (C2) infrastructure and that utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation. This RAT, which PACT refers to by its internal codename “DarkWatchman”, has been observed being distributed by email and represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools. PACT has reverse engineered the DGA, dynamically analyzed the malware, investigated the Threat Actor’s (TA) web-based infrastructure, and consolidated the results of our analysis into the following report.", + "meta": { + "refs": [ + "https://www.prevailion.com/darkwatchman-new-fileness-techniques/" + ], + "synonyms": [] + }, + "uuid": "35198ca6-6f8d-49cd-be1b-65f21b2e7e00", + "value": "DarkWatchman" } ], - "version": 36 + "version": 37 }