DarkWatchMan RAT Hides in Windows Registry

A phishing website impersonating the popular Russian site CryptoPro CSP has been detected by the Cyble Research and Intelligence Labs (CRIL) in a recent discovery.

The distribution of DarkWatchman malware was being carried out by threat actors through this website. In the year 2021, DarkWatchman was initially detected, and its focus was primarily on users in Russia.

The DarkWatchman RAT grants attackers unauthorized access to a victim’s system. This illicit access allows attackers to control the infected device and steal valuable information remotely.

Malicious Capabilities

There are several malicious capabilities that it possesses, including:

  • Capturing keystrokes
  • Clipboard data
  • System information

It is worth mentioning that DarkWatchman has a clever method of avoiding detection. Instead of writing the stolen data to the system’s disk, the malware stores it in the registry

This decreases the risk of being detected by AV tools, making it harder to discover the illicit activities of the attacker.

Technical Analysis

The following website employs a phishing tactic to trick unsuspecting users:-

  • hxxps[:]//cryptopro-download[.]one

When users visit the site, they are prompted to download a file named “CSPSetup.rar,” a malicious file that could harm their devices. It is necessary to enter a password that is provided with the file to extract the contents of this file.

Two files are included in the malicious archive after it has been extracted:-

  • CSPSetup.exe
  • readme.txt

DarkWatchman malware gets installed on the victim’s system when CSPSetup.exe is executed. 

When the cybersecurity analysts at Cyble analyzed the archive’s contents, it was discovered that a readme.txt file is included, written in Russian. The file indicates that the malware has mainly been designed to target Russian users.

When CSPSetup.exe is executed, which is an SFX archive file, it drops a file named “144039266” at %temp% location, and this file is a JavaScript file that contains the DarkWatchman RAT.

After a successful launch of the JavaScript file, the function outlined below takes over and is responsible for carrying out the following tasks:-

  • Initializing global variables
  • Installing a keylogger
  • Configuring the RAT

On the victims’ system, the script initiates the installation process of RAT after acquiring all the requisite global variables and user permission information.

Actions performed by the script

Following are the actions that are carried out by the script:-

  • There is a JavaScript file that the RAT checks for in the system registry and executes if it finds it in the registry.
  • PowerShell retrieves the keylogger code via the “StartProcessViaWMI” function from the registry.
  • To decrease the likelihood of detection, the keylogger stores keyboard inputs, clipboard data, and smart card information in the registry.
  • Keyloggers in DarkWatchman save the data they capture in their registry values that serve as buffers for storing data they capture from the user.


Here below, we have mentioned the recommendations offered by the security researchers:-

  • Emails that contain suspicious links should not be opened.
  • Downloading the software from an untrusted source should not be done.
  • Make sure your connected devices, including your desktop computer, laptop, and mobile phone, are secured with a reputable antivirus and Internet security software package.
  • If you receive an email attachment or link from an unknown source, you should not open it until you verify it is authentic.
  • Devices that are infected on the same network should be disconnected.
  • If you have connected an external storage device, you should disconnect it.
  • Ensure that the system logs are examined for suspicious activity.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.