Skitnet: Larva-306 Actors Swiss Army Knife For Persistent Access

Published Date: May 21, 2025
Category: ShadowOpsIntel
Share:

In April 2024, a new multi-stage malware named Skitnet (also known as Bossnet) emerged on underground forums, advertised as a fully autonomous threat toolkit for stealthy system compromise and persistent remote control. Developed by a threat actor identified as LARVA-306, Skitnet blends the power of multiple programming languages—Rust, Nim, and .NET—to bypass detection, exfiltrate data, and enable continuous attacker access through DNS-based command-and-control mechanisms. Its use of legitimate tools such as AnyDesk and signed binaries like Asus ISP.exe makes it a particularly deceptive and potent threat to organizations globally.

Severity Level: High

THREAT OVERVIEW:

The Breach: How It Happened

  1. Initial Payload (Rust):
    • Skitnet is delivered via an installer (distribution vector not specified but likely spearphishing or forum-based download).
    • Decrypts embedded Nim binary using ChaCha20
    • Uses manualmap (DInvoke-rs) to load Nim payload into memory (T1620)
  2. Second Stage (Nim Binary):
    • Establishes DNS-based reverse shell (T1071.004)
    • Resolves functions via GetProcAddress (T1106)
    • Uses Symmetric Cryptography to encrypt/decrypt C2 traffic (T1573.001)
    • Executes cmd.exe and runs shell commands (T1059)
  3. Persistence (DLL Hijacking):
    • Leverages signed Asus ISP.exe for DLL hijacking (T1574)
    • Executes pas.ps1 PowerShell script for persistence and beaconing (T1059.001, T1547.001)
    • Sends drive serial to C2: http[:]//178[.]236.247.7/{serial_number}
  4. C2 Panel Interaction:
    • Filters victims by IP, country, provider
    • Commands supported: startup, screen, anydesk, rutserv, shell, av
    • Reverse shell uses polling to retrieve and execute commands.
  5. Optional Payloads:
    • Remote tools like AnyDesk/RUTserv (T1219)
    • Screenshot capture (T1113)
    • Security software discovery (T1518.001)
    • .NET loader drops further payloads using RC4-decrypted URL (rushpapers[.]com)

Recommendations:

  1. Use AppLocker or WDAC to block execution of unsigned binaries and non-standard file paths like C:\ProgramData\huo\.
    Configure systems to audit DLL loads and restrict dynamic linking paths. Enforce DLL signature checks for critical applications.
    Enable Exploit Protection / AMSI to intercept reflective code loading (Rust, DInvoke-rs, .NET Assembly.Load).
    Enable PowerShell Script Block Logging and Module Logging to monitor execution of scripts like pas.ps1, web.log.
    Restrict PowerShell and cmd usage for standard users. Apply Constrained Language Mode for PowerShell.
    Block the IOCs at their respective controls.
    https://www.virustotal.com/gui/collection/20695ca85a14fb26e61935cd513d1bd863c7090b435accedbc9459fb00290abb/iocs

MITRE ATT&CK:

TacticTechniqueIDDetails
ExecutionCommand and Scripting Interpreter: PowerShellT1059.001Executes multiple PowerShell scripts (e.g., pas.ps1, web.log) to maintain persistence and load payloads.
ExecutionCommand and Scripting InterpreterT1059Uses cmd.exe shell to execute commands received over DNS C2.
PersistenceRegistry Run Keys / Startup FolderT1547.001Uses Startup folder to run ISP.exe, which loads malicious DLL.
PersistenceHijack Execution FlowT1574DLL hijacking with signed ASUS ISP.exe to run malicious SnxHidLib.DLL.
Privilege EscalationHijack Execution FlowT1574Same DLL hijack applies if elevated context is abused.
Defense EvasionObfuscated Files or InformationT1027Payloads are encrypted using ChaCha20 and RC4; strings obfuscated in .NET loaders.
Defense EvasionDeobfuscate/Decode Files or InformationT1140Decrypts payloads in memory after ChaCha20/RC4 decoding.
Defense EvasionReflective Code LoadingT1620Rust loader manually maps PE file using DInvoke-rs to evade AV.
DiscoverySecurity Software DiscoveryT1518.001Uses Get-WmiObject to list installed antivirus products.
Command and ControlApplication Layer Protocol: DNST1071.004Reverse shell communication via custom DNS requests.
Command and ControlEncrypted Channel: Symmetric CryptographyT1573.001Uses ChaCha20 and RC4 for encrypted C2 communication.
Command and ControlNative APIT1106Dynamically resolves API functions in Nim loader via GetProcAddress.
CollectionScreen CaptureT1113PowerShell-based screen capture uploaded to Imgur and linked back to C2.
ExfiltrationExfiltration Over C2 ChannelT1041Data (shell output, screenshots, logs) sent via DNS or HTTP back to C2.

Source:

  • https://catalyst.prodaft.com/public/report/skitnet/overview#heading-1000

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.