In late November, Prevailion’s Adversarial Counterintelligence Team (PACT) identified a new malware threat dubbed “DarkWatchman” which is virtually undetectable. DarkWatchman is a Remote Access Trojan (RAT) and keylogger that, according to PACT, represents a revolution in fileless malware techniques as it uses the Registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools. Meaning that, at the moment, most antivirus engines will not detect it.
Credit: Prevailion
Because the malware includes persistence and backdoor features, the team at PACT concluded that DarkWatchman may well be a reconnaissance tool designed and used by ransomware groups hunting for suitable targets.
The storage of the binary in the registry as encoded text means that Darkwatchman is persistent yet its executable is never (permanently) written to disk; it also means that DarkWatchman’s operators can update (or replace) the malware every time it’s executed ~ source
PACT discovered this new malware after it had been delivered via a malicious email attachment — read PACT’s full report: DarkWatchman A New Evolution In Fileless Techniques.
BOTTOM LINE:
While this new malware obviously represents a serious threat its traditional delivery methodology begs users to bear in mind that most malware cannot be delivered without some sort of interaction from the user. Do not open any suspicious email attachments or click on embedded links included with suspicious emails. In fact, at all times users should be very cautious about where and what they click.
—
This is one of the reasons why company owners should be mindful of website security and the methods that can be used to bring this to the forefront, whether it’s an SSL certificate or what have you.
This should scare the sh__ out of any small business owner. But, this information is not widely disseminated to to the small business community. Governments around the world should be warning everyone to put measures in place to protect their businesses and personal safety.
Now that this knowledge is out there, all antivirus suppliers should be working to thwart this treat.
Hey Tom,
I absolutely agree. The one true measure to safeguard businesses is staff education/training so they know not to click where they shouldn’t.
I have worked for both big and small businesses in my career. I have seen strict implementation regarding Internet access where workers were only able to connect to customers or suppliers to a management attitude that it will not happen to their business. I have also been involved twice where an attack was in progress. Luckily for the most serious one a quick detection, a lockout of all PC’s from the server and an implementation of a three tier backup allowed for each PC to have Windows & software reinstalled and the data restored. The core PC’s were back up and running that same day. The others were gradually wiped and added back. Compared to today’s attacks, those early attacks were mild in mature.
Generally, my experience is that upper management considers computer safety an unnecessary expense until there has been an attack that hurt.
“Generally, my experience is that upper management considers computer safety an unnecessary expense until there has been an attack that hurt.”
So true, unfortunately.