Malware employs advanced obfuscation: According to a Prodaft description, Skitnet uses Rust and Nim programming languages to execute a stealthy reverse shell over DNS, which is a method of covert C2 Communication using the DNS protocol instead of HTTP or other typical channels.Additionally, the malware leverages encryption, manual mapping, and dynamic API resolution to evade detection, researchers added.”The author (of the malware) sells both the server code and the malware itself,” researchers added. “The server automatically wipes SSH connection logs, IP addresses, command history logs, and cache, to avoid leaving any traces that could be used in forensic investigation.”
Additional commands for remote access: Skitnet also has commands to quietly install and launch signed versions of remote desktop tools like AnyDesk or RUT, allowing attackers to gain remote access to infected systems.”The inclusion of remote access capabilities via AnyDesk and RUT-Serv, along with commands for data exfiltration and security product enumeration, highlights the malware’s versatility,” researchers said. “Skitnet’s persistence mechanisms, including DLL hijacking and PowerShell-based execution, ensure that it remains active on compromised systems.”Prodaft published indicators of compromise (IoC) for security teams, which includes a list of C2 servers, TOX addresses, and file hashes used in the observed attacks. Organizations are advised to enhance cybersecurity measures, including employee training on phishing awareness and implementation of robust security protocols, to mitigate the risks associated with Skitnet.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3990488/skitnet-malware-the-new-ransomware-favorite.html
