image credit: freepik
A novel remote access trojan (RAT) being distributed via a Russian-language spear-phishing campaign is using unique manipulation of Windows Registry to evade most security detections, demonstrating a significant evolution in fileless malware techniques.
Dubbed DarkWatchman, the RAT – discovered by researchers at Prevailion’s Adversarial Counterintelligence Team (PACT) – uses the registry on Windows systems for nearly all temporary storage on a machine and thus never writes anything to disk. This allows it “to operate beneath or around the detection threshold of most security tools,” PACT researchers Matt Stafford and Sherman Smith wrote in a report published late Tuesday.
Comments are closed.
