Skitnet Malware Employs Stealth Techniques to Execute Payload and Maintain Persistence Techniques

A new and highly sophisticated multi-stage malware, known as Skitnet (or Bossnet), has been uncovered, showcasing advanced stealth techniques to execute its malicious payload and maintain persistent access on infected systems.

Developed by the threat group LARVA-306, Skitnet has been actively sold on underground forums like RAMP since April 19, 2024, with its creators offering both the malware and server code as a compact package.

Advertised with fully automated installation via Bash scripts, this malware minimizes manual intervention and incorporates self-cleaning mechanisms to erase traces such as SSH logs, IP addresses, command history, and cache data, making forensic analysis challenging.

– Advertisement –

The Russian-speaking author behind Skitnet has designed it to be a versatile and evasive tool, leveraging multiple programming languages and encryption methods to bypass traditional security defenses.

A Sophisticated Multi-Stage Threat

At its core, Skitnet begins with an initial executable crafted in Rust, utilizing the ChaCha20 encryption library to decrypt an embedded payload, a tactic aligned with MITRE ATT&CK techniques T1140 (Deobfuscate/Decode Files or Information) and T1027 (Obfuscated Files or Information).

Once decrypted, the Rust component employs the DInvoke-rs manualmap library to reflectively load a Nim-compiled binary into memory, a method classified under T1620 (Reflective Code Loading), to evade detection.

This Nim binary then establishes a reverse shell to a command-and-control (C2) server using DNS resolution (T1071.004 – DNS), dynamically resolving API functions via GetProcAddress (T1106 – Native API) to avoid static import tables.

It generates random DNS requests and spawns threads to maintain communication with the C2 server, encrypting data with session keys (T1573.001 – Symmetric Cryptography) and facilitating covert data exfiltration.

Technical Breakdown of Skitnet’s Architecture

The malware’s C2 panel, secured with regex checks and IP/country filters, manages infected devices by tracking unique IDs based on the victim’s C drive serial number, further enhancing its operational secrecy.

Skitnet’s persistence mechanisms are equally intricate, employing PowerShell scripts and DLL hijacking (T1574 – Hijack Execution Flow) to ensure continuous execution.

Through the “startup” command, it downloads files like ISP.exe-a legitimate signed executable from Asus-and a malicious SnxHidLib.DLL to execute a PowerShell script (pas.ps1) via DLL hijacking.

According to Catalyst Report, this script, placed in the Startup folder (T1547.001 – Registry Run Keys/Startup Folder), sends requests to the C2 server upon reboot, guaranteeing persistence.

Additional commands such as “screen” for capturing screenshots (T1113 – Screen Capture), “anydesk” and “rutserv” for remote access, and “av” for enumerating installed security software (T1518.001 – Security Software Discovery) demonstrate Skitnet’s versatility.

Moreover, a .NET-based second-stage loader, heavily obfuscated with opaque predicates and string encryption, downloads further payloads from dynamically constructed C2 URLs using RC4 decryption, perpetuating the attack chain.

This multi-layered approach, blending Rust, Nim, and .NET components with advanced evasion tactics like manual mapping and DNS tunneling, underscores Skitnet’s ability to remain undetected while maintaining long-term access to compromised systems, posing a significant challenge to cybersecurity defenses.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!