Skitnet, also known as Bossnet, is an emerging multi-stage malware attributed to the threat actor LARVA-306 that demonstrates highly advanced techniques for stealthy payload delivery and persistent system compromise.
First observed in underground forums in April 2024, Skitnet is promoted as a turnkey solution for cyber adversaries, featuring fully automated Bash-scripted deployment and built-in anti-forensic capabilities, including the automated wiping of SSH logs, IP addresses, and command history.
The malware’s initial stage is engineered in Rust and employs the ChaCha20 encryption algorithm to decrypt an embedded payload at runtime.
This approach leverages the robust cryptographic capabilities of Rust to obfuscate the second-stage binary, thereby thwarting static file analysis and evading traditional defenses.
Once decrypted in memory, the payload a Nim-compiled binary is manually mapped using the DInvoke-rs library, a technique known as reflective code loading.
According to Catalyst Report, this mode of execution further complicates detection as the binary bypasses the operating system’s default loader, minimizing its forensic footprint.
Stealthy C2 Communication
The second-stage Nim binary initiates a covert connection to the command-and-control (C2) server using DNS tunneling.
By dynamically resolving necessary API functions at runtime, rather than relying on import tables, the binary obscures its operational profile.
Communication with the C2 infrastructure is performed through custom-crafted DNS queries containing randomized identifiers, leveraging the nim-dnsprotocol library to further blend malicious traffic with legitimate network activity.
Upon establishing connectivity, the Nim binary spawns a reverse shell channel through DNS, enabling attackers to execute arbitrary commands on the target system.
Outbound messages and command responses are symmetrically encrypted and encapsulated within DNS requests, affording further stealth against network monitoring tools.
Persistence Through DLL Hijacking
To maintain persistence, Skitnet employs several sophisticated mechanisms. It exploits DLL hijacking by leveraging a legitimate, signed executable from Asus (ISP.exe) placed alongside a malicious library (SnxHidLib.DLL), which the trusted application loads during runtime.
The malicious DLL triggers the execution of a PowerShell script (pas.ps1), which operates in an infinite loop to relay the device’s C drive serial number to the C2 server, continuously awaiting additional payloads.
This persistence script leverages the Windows Startup directory to ensure payloads execute on each system reboot.
The PowerShell script downloads further modules, establishes shortcuts, and invokes remote code supplied directly by C2 operators, creating a resilient feedback loop for ongoing command reception.
Skitnet’s C2 panel is a robust adversary dashboard providing device profiling, operator comments, and multi-channel control.
Beyond the reverse shell, the malware offers PowerShell-based command execution, remote desktop access via AnyDesk or RUT-Serv (with process window concealment), and capabilities for screen capture and exfiltration via public services such as Imgur.
Furthermore, the malware can enumerate local security solutions by querying Windows SecurityCenter2 WMI classes, returning AV product data to the attackers.
For sustained operations, Skitnet includes a .NET-based loader deployed through an encoded PowerShell dropper.
This loader uses base64 decoding, XOR decryption, and dynamic assembly loading to execute additional obfuscated .NET payloads, each employing RC4 encryption for sensitive internal data and communications.
The staged loaders dynamically construct callback URIs for fetching subsequent payloads and extend the malware’s operational toolkit without requiring overt changes to the base implant.
Skitnet exemplifies the modern, modular malware ecosystem, integrating resilient persistence features, multi-language development, and encrypted DNS-based C2 communication to outmaneuver detection and response strategies.
Its layered obfuscation, reflective loading, and abuse of legitimate tools for both execution and persistence highlight an evolution in threat actor tradecraft, demanding equally sophisticated defensive approaches from targeted organizations.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
