CyberSecurity news
FlagThis
Mandvi@Cyber Security News
//
Skitnet, also known as Bossnet, is a multi-stage malware that has emerged as a favored tool for ransomware gangs, offering stealth and versatility in cybercrime. First advertised on underground forums like RAMP in April 2024, it has quickly gained traction among notorious groups such as BlackBasta. These groups have leveraged Skitnet's capabilities in phishing attacks targeting enterprise platforms like Microsoft Teams. The malware is attributed to threat actor LARVA-306.
Skitnet employs advanced techniques for stealthy payload delivery and persistent system compromise. Its initial executable, written in Rust, decrypts an embedded payload compiled in Nim. The Nim binary then establishes a reverse shell connection with the command-and-control (C2) server via DNS resolution, evading detection by dynamically resolving API function addresses. This method avoids traditional import tables, enhancing its stealth capabilities. The malware initiates the session with randomized DNS queries, creating a robust and stealthy communication channel.
To maintain persistence, Skitnet utilizes sophisticated mechanisms such as DLL hijacking. It leverages a legitimate, signed executable from Asus (ISP.exe) placed alongside a malicious library (SnxHidLib.DLL). This malicious DLL triggers the execution of a PowerShell script (pas.ps1), which operates in an infinite loop to relay the device’s C drive serial number to the C2 server, continuously awaiting commands. Skitnet also features commands for data exfiltration and can even download a .NET loader binary for serving additional payloads, showcasing its versatility as a post-exploitation tool.
ImgSrc: blogger.googleu
References :
Skitnet employs advanced techniques for stealthy payload delivery and persistent system compromise. Its initial executable, written in Rust, decrypts an embedded payload compiled in Nim. The Nim binary then establishes a reverse shell connection with the command-and-control (C2) server via DNS resolution, evading detection by dynamically resolving API function addresses. This method avoids traditional import tables, enhancing its stealth capabilities. The malware initiates the session with randomized DNS queries, creating a robust and stealthy communication channel.
To maintain persistence, Skitnet utilizes sophisticated mechanisms such as DLL hijacking. It leverages a legitimate, signed executable from Asus (ISP.exe) placed alongside a malicious library (SnxHidLib.DLL). This malicious DLL triggers the execution of a PowerShell script (pas.ps1), which operates in an infinite loop to relay the device’s C drive serial number to the C2 server, continuously awaiting commands. Skitnet also features commands for data exfiltration and can even download a .NET loader binary for serving additional payloads, showcasing its versatility as a post-exploitation tool.
ImgSrc: blogger.googleu
Share:
References :
- bsky.app: Ransomware gangs increasingly use Skitnet post-exploitation malware ift.tt/cCJbfqk
- Cyber Security News: Skitnet Malware Uses Advanced Stealth Methods to Deliver Payload and Ensure Persistence Techniques
- The DefendOps Diaries: Explore Skitnet, a powerful ransomware tool reshaping cybercrime with its stealth and versatility, used by notorious gangs like BlackBasta.
- The Hacker News: Ransomware Gangs Use Skitnet Malware for Stealthy Data Theft and Remote Access
Classification:
- HashTags: #Skitnet #Malware #Stealth
- Target: Enterprises
- Attacker: LARVA-306
- Feature: Stealth and Persistence
- Malware: Skitnet
- Type: Malware
- Severity: Major