In April 2024, a new multi-stage malware named Skitnet (also known as Bossnet) emerged on underground forums, advertised as a fully autonomous threat toolkit for stealthy system compromise and persistent remote control. Developed by a threat actor identified as LARVA-306, Skitnet blends the power of multiple programming languages—Rust, Nim, and .NET—to bypass detection, exfiltrate data, and enable continuous attacker access through DNS-based command-and-control mechanisms. Its use of legitimate tools such as AnyDesk and signed binaries like Asus ISP.exe makes it a particularly deceptive and potent threat to organizations globally.
Severity Level: High
THREAT OVERVIEW:
The Breach: How It Happened
- Initial Payload (Rust):
- Skitnet is delivered via an installer (distribution vector not specified but likely spearphishing or forum-based download).
- Decrypts embedded Nim binary using ChaCha20
- Uses manualmap (DInvoke-rs) to load Nim payload into memory (T1620)
- Second Stage (Nim Binary):
- Establishes DNS-based reverse shell (T1071.004)
- Resolves functions via GetProcAddress (T1106)
- Uses Symmetric Cryptography to encrypt/decrypt C2 traffic (T1573.001)
- Executes cmd.exe and runs shell commands (T1059)
- Persistence (DLL Hijacking):
- Leverages signed Asus ISP.exe for DLL hijacking (T1574)
- Executes pas.ps1 PowerShell script for persistence and beaconing (T1059.001, T1547.001)
- Sends drive serial to C2: http[:]//178[.]236.247.7/{serial_number}
- C2 Panel Interaction:
- Filters victims by IP, country, provider
- Commands supported: startup, screen, anydesk, rutserv, shell, av
- Reverse shell uses polling to retrieve and execute commands.
- Optional Payloads:
- Remote tools like AnyDesk/RUTserv (T1219)
- Screenshot capture (T1113)
- Security software discovery (T1518.001)
- .NET loader drops further payloads using RC4-decrypted URL (rushpapers[.]com)
Recommendations:
- Use AppLocker or WDAC to block execution of unsigned binaries and non-standard file paths like C:\ProgramData\huo\.
Configure systems to audit DLL loads and restrict dynamic linking paths. Enforce DLL signature checks for critical applications.
Enable Exploit Protection / AMSI to intercept reflective code loading (Rust, DInvoke-rs, .NET Assembly.Load).
Enable PowerShell Script Block Logging and Module Logging to monitor execution of scripts like pas.ps1, web.log.
Restrict PowerShell and cmd usage for standard users. Apply Constrained Language Mode for PowerShell.
Block the IOCs at their respective controls.
https://www.virustotal.com/gui/collection/20695ca85a14fb26e61935cd513d1bd863c7090b435accedbc9459fb00290abb/iocs
MITRE ATT&CK:
| Tactic | Technique | ID | Details |
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | Executes multiple PowerShell scripts (e.g., pas.ps1, web.log) to maintain persistence and load payloads. |
| Execution | Command and Scripting Interpreter | T1059 | Uses cmd.exe shell to execute commands received over DNS C2. |
| Persistence | Registry Run Keys / Startup Folder | T1547.001 | Uses Startup folder to run ISP.exe, which loads malicious DLL. |
| Persistence | Hijack Execution Flow | T1574 | DLL hijacking with signed ASUS ISP.exe to run malicious SnxHidLib.DLL. |
| Privilege Escalation | Hijack Execution Flow | T1574 | Same DLL hijack applies if elevated context is abused. |
| Defense Evasion | Obfuscated Files or Information | T1027 | Payloads are encrypted using ChaCha20 and RC4; strings obfuscated in .NET loaders. |
| Defense Evasion | Deobfuscate/Decode Files or Information | T1140 | Decrypts payloads in memory after ChaCha20/RC4 decoding. |
| Defense Evasion | Reflective Code Loading | T1620 | Rust loader manually maps PE file using DInvoke-rs to evade AV. |
| Discovery | Security Software Discovery | T1518.001 | Uses Get-WmiObject to list installed antivirus products. |
| Command and Control | Application Layer Protocol: DNS | T1071.004 | Reverse shell communication via custom DNS requests. |
| Command and Control | Encrypted Channel: Symmetric Cryptography | T1573.001 | Uses ChaCha20 and RC4 for encrypted C2 communication. |
| Command and Control | Native API | T1106 | Dynamically resolves API functions in Nim loader via GetProcAddress. |
| Collection | Screen Capture | T1113 | PowerShell-based screen capture uploaded to Imgur and linked back to C2. |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Data (shell output, screenshots, logs) sent via DNS or HTTP back to C2. |
Source:
- https://catalyst.prodaft.com/public/report/skitnet/overview#heading-1000
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.