December 23, 2021 — Eric Swotinsky
Incident reports

Dark Watchman demonstrates evolution in fileless malware techniques

Acronis Cyber Protect Cloud

A new remote access Trojan (RAT) by the name of Dark Watchman uses fileless techniques and is mainly created in JavaScript. This makes it more stealthy.

Dark Watchman is stored in the Windows Registry as a script, and a scheduled task is created to launch it every time the user logs in. It also has a keylogger which is stored as obfuscated C# code, and compiled by a PowerShell script and the legitimate .NET CSC.exe tool.

The RAT can download and execute new payloads, run custom commands, upload files to a command-and-control server, and update its own code. There are indications that it does download ransomware.

The behavioral detection and machine intelligence capabilities in Acronis Cyber Protect effectively block both existing and brand-new malware threats, including fileless variants, before they can do any damage to your systems.