Ddos 
Security researchers at Prodaft have published an in-depth analysis of Skitnet, also known as Bossnet—a highly sophisticated multi-stage malware developed by the actor identified as LARVA-306. This malware uses a blend of programming languages (Rust, Nim, and .NET), encryption, and evasive techniques to establish persistent access, evade detection, and enable remote command-and-control over DNS.
The malware was first observed being sold on underground forums like RAMP in April 2024. The seller offers both server code and payloads, bundled with automated installation via Bash scripts. To eliminate forensic evidence, the malware immediately wipes:
- SSH connection logs
- IP addresses
- Command history
- System cache
“The server automatically wipes… to avoid leaving any traces that could be used in forensic investigations,” the analysis explained.
The initial executable is written in Rust and uses ChaCha20 encryption to decrypt an embedded binary payload. Once decrypted, this payload—a Nim-compiled reverse shell—is manually mapped into memory using DInvoke-rs.
“Other than decrypting and manually mapping the new binary, the Rust component does not perform any additional tasks,” the analysis noted.
The Nim binary establishes a reverse shell using custom DNS queries. It:
- Generates fake DNS requests like 1000000000000000.com
- Resolves API functions dynamically to avoid import detection
- Encrypts and sends cmd.exe output via DNS requests
- Waits for incoming DNS responses to execute new commands
“Ultimately, this mechanism allows the Nim binary to establish a reverse shell over DNS resolution.”
This stealthy communication approach helps the malware evade standard detection mechanisms by abusing DNS as a covert C2 channel.
Skitnet uses DLL sideloading and signed binaries to ensure persistence:
- Drops ISP.exe (a legitimate ASUS-signed binary) alongside a malicious SnxHidLib.DLL
- Executes pas.ps1, a PowerShell script that beacons to the attacker’s server
- Installs a shortcut in the Windows Startup folder
“Skitnet exploits this legitimate executable by placing a malicious SnxHidLib.DLL file in the same directory… triggering a DLL hijacking attack.”
The malware supports numerous remote commands:
- screen: Captures screenshots and uploads them to Imgur
- anydesk / rutserv: Deploys legitimate remote desktop tools while hiding tray icons
- shell: Maintains a live PowerShell command channel via HTTP polling
- av: Enumerates installed antivirus software using WMI
Beyond traditional payloads, Skitnet drops a .NET loader (web.log) that uses a base64/XOR decoding routine, dynamically loads a DLL, and decrypts embedded payloads using RC4.
Once decrypted, the payload connects to domains like rushpapers.com, downloading and executing additional malicious modules in memory.
“The inclusion of remote access capabilities via AnyDesk and RUT-Serv, along with commands for data exfiltration and security product enumeration, highlights the malware’s versatility,” the analysis concluded.
Organizations should remain alert for unusual DNS activity, unrecognized Startup entries, and signed binaries loading unexpected DLLs.
Donate