Ransomware operators are now actively using a modular malware, Skitnet, sold on underground forums including RAMP since April 2024.
According to cybersecurity firm Prodaft, the multi-stage malware is being used for stealing sensitive data post-compromise and establishing continued remote access.
“Skitnet (a.k.a Bossnet) is a multi-stage malware developed by LARVA-306 that leverages multiple programming languages and stealth techniques to execute its payload and maintain persistent access to infected systems,” said Prodaft researchers in a report.
First identified in 2024, the malware was recently leveraged by BlackBasta in Microsoft Teams-themed phishing attacks, PRODAFT said in a LinkedIn post.
Dedicated plugins for theft and ransomware
Skitnet operates with a modular design where a core loader, decoded and executed with a lightweight PowerShell dropper, dynamically fetches and executes plugins based on the attacker’s goal.
Desired modules are retrieved from hardcoded command and control (C2) servers, using HTTP POST requests and AES-encrypted payloads. Payload components include skitnel.dll, which handles in-memory execution, and a persistence mechanism.
According to the researchers, the malware includes separate plugins for credential harvesting, privilege escalation, lateral movement, and ransomware delivery.
Malware employs advanced obfuscation
According to a Prodaft description, Skitnet uses Rust and Nim programming languages to execute a stealthy reverse shell over DNS, which is a method of covert C2 Communication using the DNS protocol instead of HTTP or other typical channels.
Additionally, the malware leverages encryption, manual mapping, and dynamic API resolution to evade detection, researchers added.
“The author (of the malware) sells both the server code and the malware itself,” researchers added. “The server automatically wipes SSH connection logs, IP addresses, command history logs, and cache, to avoid leaving any traces that could be used in forensic investigation.”
Additional commands for remote access
Skitnet also has commands to quietly install and launch signed versions of remote desktop tools like AnyDesk or RUT, allowing attackers to gain remote access to infected systems.
“The inclusion of remote access capabilities via AnyDesk and RUT-Serv, along with commands for data exfiltration and security product enumeration, highlights the malware’s versatility,” researchers said. “Skitnet’s persistence mechanisms, including DLL hijacking and PowerShell-based execution, ensure that it remains active on compromised systems.”
Prodaft published indicators of compromise (IoC) for security teams, which includes a list of C2 servers, TOX addresses, and file hashes used in the observed attacks. Organizations are advised to enhance cybersecurity measures, including employee training on phishing awareness and implementation of robust security protocols, to mitigate the risks associated with Skitnet.
No Responses