Threat Watch

New Fileless Malware Uses Windows Registry as Storage to Evade Detection

A newly discovered JavaScript-based remote access Trojan (RAT) has been observed using fileless techniques in order to evade detection. This RAT, known as DarkWatchman, utilizes the Windows Registry for all its storage operations, thereby enabling it to bypass antimalware engines and remain off disk.

This new malware has been seen targeting an unnamed organization in Russia and uses spear-phishing emails with malicious attachments as its infection vector. The RAT itself is comprised of two components: the JavaScript RAT itself and a C#-based keylogger. When a system is infected, the malware dropper writes the RAT’s configuration into the registry, and then writes the entire C# executable into the registry as encoded text. The persistence mechanism used is via a scheduled task, configured to run the main JavaScript file at user log on. The RAT uses a Domain Generation Algorithm (DGA) as its C2 server, making it particularly resilient to domain takedown or blocking. The keylogger functionality is set up to log all captured keypresses, write them into a buffer in a registry key, and then send the data to the C2 at regular intervals, making it so the output never touches the system’s disk.

This RAT functions similar to other RATs with the ability to execute commands, upload files, and load DLLs. This RAT, however, also has the capability to update itself and the keylogger executable remotely, as well as set an autostart JavaScript function to run whenever the RAT starts up. Since most of the functionality of the RAT is written into the registry and not files on the disk itself, it is incredibly adept at evading detection from most antimalware products.


Detection of this malware can be performed by monitoring for abnormal HTTP callouts, as well as registry modifications. The DGA used to determine the C2 of the malware uses a relatively well-patterned generation feature, which can be used to help find abnormal callouts in web logs. Likewise, the current version of the malware includes a typo in the user agent string it uses to make these callouts, allowing for a solid detection that should not have any false positives. While this is likely to be fixed quickly by the malware authors, it does allow for a quick and easy way to detect the malware in its current state. Malicious registry key modifications can be difficult to detect, due to the sheer number of them made during normal operations, but patterning the behavior and registry keys used by this malware can help find anomalous activity. Binary Defense’s Managed Detection and Response service is a great asset to assist with these types of detection needs.