Cybersecurity researchers have recently uncovered a sophisticated multi-stage malware known as Skitnet, also referred to as Bossnet. This malware employs advanced stealth techniques to execute its payloads and maintain persistent access to compromised systems. First identified on underground forums in April 2024, Skitnet is actively marketed as a comprehensive package that includes both server code and malware components, with automated installation facilitated by Bash scripts requiring minimal human intervention.
Multi-Language Architecture and Evasion Tactics
Skitnet’s architecture is notably complex, integrating multiple programming languages such as Rust, Nim, .NET, and PowerShell. This multi-language approach enhances its ability to evade detection and establish robust persistence within targeted systems. The malware’s modular design allows attackers to deploy various payloads while minimizing their digital footprint, thereby reducing the likelihood of detection by traditional security measures.
The server component of Skitnet is designed to automatically erase connection logs, IP addresses, command histories, and cache data. This deliberate log-clearing strategy is intended to thwart forensic analysis and complicate efforts to trace the malware’s activities.
Encryption and Code Obfuscation
Skitnet employs sophisticated encryption and code obfuscation techniques throughout its infection chain. Analysis has revealed that the initial Rust executable utilizes the ChaCha20 encryption library to decrypt an embedded payload. This decrypted payload is then manually mapped into memory using DInvoke-rs, a method that avoids traditional detection mechanisms monitoring disk operations.
The second-stage component, written in Nim, establishes a covert command and control (C2) channel through DNS resolution—a protocol often permitted through firewalls with minimal inspection. This Nim component dynamically resolves API functions via GetProcAddress rather than using traditional import tables, further reducing its detectability by security solutions that flag suspicious imports.
Sophisticated Persistence Mechanism
Skitnet’s persistence mechanism is particularly advanced, combining legitimate software exploitation with DLL hijacking and PowerShell scripting. Upon execution of its startup command, the malware downloads three critical files to the C:\ProgramData\huo directory:
– ISP.exe: A legitimate and digitally signed executable from ASUSTeK Computer Inc.
– SnxHidLib.DLL: A malicious DLL.
– pas.ps1: A PowerShell persistence script.
The malware exploits a design feature in the legitimate ASUS executable, which attempts to load SnxHidLib.DLL at runtime. By placing a malicious version of this DLL in the same directory, Skitnet hijacks the execution flow. When ISP.exe loads, it calls the LoadLibrary function to import SnxHidLib.DLL, which then creates a PowerShell process to execute the pas.ps1 script.
The pas.ps1 script establishes persistence by retrieving the C drive’s serial number and continuously sending requests to the C2 server in the format: http://178.236.247.7/{serial_number}. The server responds with PowerShell commands that are executed via Invoke-Expression. To ensure the malware runs at system startup, it creates a shortcut to ISP.exe in the Windows Startup folder, completing a sophisticated persistence chain that leverages trusted software, DLL hijacking, and PowerShell automation.
Post-Exploitation Capabilities
Beyond establishing persistence, Skitnet offers threat actors significant post-exploitation capabilities. These include screen capture functionality that exfiltrates screenshots to the C2 server, providing attackers with visual insights into the victim’s activities. Additionally, the malware can execute arbitrary commands received from the C2 server, allowing for further system manipulation and data exfiltration.
Implications and Mitigation Strategies
The discovery of Skitnet underscores the evolving sophistication of malware threats and the challenges they pose to cybersecurity defenses. Its use of multiple programming languages, advanced encryption, and stealthy persistence mechanisms highlights the need for comprehensive security strategies.
To mitigate the risks associated with such advanced malware, organizations should consider the following strategies:
1. Enhanced Monitoring and Logging: Implement comprehensive logging and monitoring solutions to detect unusual activities, such as unexpected PowerShell executions or unauthorized DLL loads.
2. Application Whitelisting: Restrict the execution of unauthorized applications and scripts by implementing application whitelisting policies.
3. Regular Software Updates: Ensure that all software, especially security tools and operating systems, are regularly updated to patch known vulnerabilities that could be exploited by malware like Skitnet.
4. User Education: Educate users about the risks of downloading and executing unknown files or scripts, emphasizing the importance of verifying the authenticity of software sources.
5. Advanced Threat Detection Solutions: Deploy advanced threat detection solutions that utilize behavioral analysis and machine learning to identify and respond to anomalous activities indicative of sophisticated malware infections.
By adopting these strategies, organizations can enhance their resilience against advanced malware threats like Skitnet and better protect their systems and data from compromise.
