In late November, Prevailion’s Adversarial Counterintelligence Team (PACT) identified a new malware threat dubbed “DarkWatchman” which is virtually undetectable. DarkWatchman is a Remote Access Trojan (RAT) and keylogger that, according to PACT, represents a revolution in fileless malware techniques as it uses the Registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools. Meaning that, at the moment, most antivirus engines will not detect it.
Because the malware includes persistence and backdoor features, the team at PACT concluded that DarkWatchman may well be a reconnaissance tool designed and used by ransomware groups hunting for suitable targets.
The storage of the binary in the registry as encoded text means that Darkwatchman is persistent yet its executable is never (permanently) written to disk; it also means that DarkWatchman’s operators can update (or replace) the malware every time it’s executed ~ source
PACT discovered this new malware after it had been delivered via a malicious email attachment — read PACT’s full report: DarkWatchman A New Evolution In Fileless Techniques.
While this new malware obviously represents a serious threat its traditional delivery methodology begs users to bear in mind that most malware cannot be delivered without some sort of interaction from the user. Do not open any suspicious email attachments or click on embedded links included with suspicious emails. In fact, at all times users should be very cautious about where and what they click.