More ransomware gangs, including Black Basta and Cactus, have been leveraging the new Skitnet malware, also known as Bossnet, for covert post-exploitation operations since earlier this year, reports BleepingComputer.
Attacks involving Skitnet commence with the deployment and execution of a Rust-based loader enabling the decryption and in-memory loading of a ChaCha20-encrypted Nim binary, which creates a DNS-based reverse shell for command-and-control communications before triggering a trio of threads for heartbeat DNS request delivery, shell output tracking and exfiltration, and command listening and decryption activities, an analysis from PRODAFT revealed. Aside from supporting commands that enable persistence and screenshot capturing via PowerShell, Skitnet also allows stealthy installation of the AnyDesk and RUT-Serv remote access tools, triggers a PowerShell command loop, and performs antivirus and security software enumeration, as well as facilitates in-memory execution of PowerShell scripts for more customized intrusions, researchers added. All of Skitnet's indicators of compromise have already been published on PRODAFT's GitHub repository.
Attacks involving Skitnet commence with the deployment and execution of a Rust-based loader enabling the decryption and in-memory loading of a ChaCha20-encrypted Nim binary, which creates a DNS-based reverse shell for command-and-control communications before triggering a trio of threads for heartbeat DNS request delivery, shell output tracking and exfiltration, and command listening and decryption activities, an analysis from PRODAFT revealed. Aside from supporting commands that enable persistence and screenshot capturing via PowerShell, Skitnet also allows stealthy installation of the AnyDesk and RUT-Serv remote access tools, triggers a PowerShell command loop, and performs antivirus and security software enumeration, as well as facilitates in-memory execution of PowerShell scripts for more customized intrusions, researchers added. All of Skitnet's indicators of compromise have already been published on PRODAFT's GitHub repository.
