Ethical Hacking News
Ransomware gang members are increasingly relying on Skitnet post-exploitation malware to perform stealthy activities on compromised networks. With its potent capabilities, this malware offers significant benefits to hackers while also increasing the challenge of attribution for law enforcement agencies.
Skitnet, a new ransomware malware, has emerged as a powerful tool for post-exploitation activities among ransomware gangs. The malware allows attackers to establish a backdoor into breached networks, enabling remote access and control over infected systems. Skitnet features a complex payload with multiple threads, allowing attackers to maintain control while minimizing detection risk. The C2 panel provides real-time monitoring and fine-grained control over compromised systems, including varied commands for execution. Using Skitnet can provide cost savings and reduced complexity for ransomware gangs, but also increases attribution difficulty for law enforcement agencies.
In recent months, a new player has emerged in the world of ransomware, one that promises to provide the tools necessary for hackers to conduct stealthy post-exploitation activities on breached networks. This malware, known as Skitnet or Bossnet, has been making waves among ransomware gangs since its release on underground forums like RAMP in April 2024.
According to recent research by Prodaft, a team of cybersecurity experts who specialize in tracking and analyzing emerging threats, Skitnet has gained significant traction among these groups due to its potent capabilities. By employing this malware, ransomware operators can establish a backdoor into the compromised network, allowing them to remotely access and control infected systems.
Skitnet is a complex piece of malware that begins with a Rust-based loader dropped and executed on the target system. This initial step is followed by the decryption of a ChaCha20 encrypted Nim binary and its loading into memory. The Nim payload then establishes a DNS-based reverse shell for communication with the command and control (C2) server, initiating the session with randomized DNS queries.
This first phase of the Skitnet malware sets the stage for further post-exploitation activities. The malware starts three threads, one for sending heartbeat DNS requests, one for monitoring and exfiltrating shell output, and another for listening for and decrypting commands from DNS responses. This enables the attackers to maintain a high level of control over their compromised systems while minimizing the risk of detection.
One of the standout features of Skitnet is its C2 panel, which allows operators to monitor the status of their infected systems in real-time. The C2 panel provides detailed information on the IP address, location, and other key details about each system. Furthermore, it enables operators to issue commands for execution, giving them fine-grained control over how they interact with compromised machines.
The supported commands available through Skitnet's C2 panel are varied and multifaceted. These include startup, screen, Anydesk, rutserv, shell, av, and a .NET loader. The first four of these options allow operators to establish persistence on the system, capture screenshots, install remote access tools, or download additional malicious software, respectively. The shell option enables operators to start a PowerShell command loop, which can be used for further post-exploitation activities.
The 'av' command, short for antivirus, enumerates installed security software by querying WMI (SELECT * FROM AntiVirusProduct in the root\SecurityCenter2 namespace). This feature allows operators to identify potential vulnerabilities or competitors that may pose a threat to their operations. Meanwhile, the .NET loader provides operators with the ability to execute PowerShell scripts in memory, further expanding their capabilities.
Prodaft notes that using an off-the-shelf malware like Skitnet can provide numerous benefits for ransomware gangs, including cost savings and reduced complexity compared to developing custom tools. However, this also increases the difficulty of attribution, making it harder for law enforcement agencies to track and identify the source of these operations.
In conclusion, the emergence of Skitnet as a key piece of post-exploitation malware among ransomware gangs marks an important development in the ongoing cat-and-mouse game between hackers and cybersecurity professionals. As these threats continue to evolve, it is essential for organizations to remain vigilant and proactive in their defense strategies.
Related Information:
https://www.ethicalhackingnews.com/articles/Ransomware-Gangs-Leverage-Skitnet-Post-Exploitation-Malware-for-Stealthy-Operations-ehn.shtml
https://www.bleepingcomputer.com/news/security/ransomware-gangs-increasingly-use-skitnet-post-exploitation-malware/
Published: Fri May 16 10:25:19 2025 by llama3.2 3B Q4_K_M
