Full Report
Ransomware gang members increasingly use a new malware called Skitnet ("Bossnet") to perform stealthy post-exploitation activities on breached networks. [...]
Analysis Summary
# Tool/Technique: Skitnet
## Overview
Skitnet is a post-exploitation malware increasingly utilized by ransomware gangs. It serves as an off-the-shelf, cost-effective tool providing various remote control and system reconnaissance capabilities to attackers after initial network access has been achieved.
## Technical Details
- Type: Malware family (Post-exploitation tool)
- Platform: Primarily assumed to target Windows environments based on command execution methods (PowerShell, DLL hijacking targeting Windows executables).
- Capabilities: Persistence establishment, system reconnaissance (security software enumeration), remote access (via AnyDesk and RUT-Serv), screen capturing, and remote command execution.
- First Seen: Not specified in the provided text.
## MITRE ATT&CK Mapping
* **TA0001 - Initial Access** (Implied entry point before post-exploitation)
* **T1547 - Boot or Logon Autostart Execution**
* **T1547.001 - Registry Run Keys / Startup Folder** (Via creating a shortcut in the Startup folder)
* **TA0003 - Persistence**
* **T1547 - Boot or Logon Autostart Execution**
* **T1547.001 - Registry Run Keys / Startup Folder** (Via DLL Hijack persistence)
* **TA0005 - Defense Evasion**
* **T1218 - Signed Binary Proxy Execution**
* **T1218.011 - Rundll32** (Implied via DLL Hijack execution)
* **TA0009 - Collection**
* **T1113 - Screen Capture**
* **TA0011 - Command and Control**
* **T1071 - Application Layer Protocol** (Via C2 communication using HTTP/S implied by API polling '?m')
* **TA0007 - Discovery**
* **T1087 - Account Discovery** (Implied by post-exploitation functionality)
* **T1069 - Permission Groups Discovery** (Implied by post-exploitation functionality)
* **T1518 - Software Discovery**
* **T1518.001 - Installed Software** (Via WMI query for AntiVirusProduct)
## Functionality
### Core Capabilities
* **Persistence:** Establishes persistence by creating a shortcut to `%ISP.exe` (a legitimate Asus executable) in the Startup folder, which is configured to trigger execution via a DLL hijack. This persistence mechanism leads to the execution of a PowerShell script (`pas.ps1`).
* **Remote Command Execution:** Features a `Shell` command that initiates a PowerShell command loop. It sends an acknowledgement ("Shell started..") and then polls the C2 server every 5 seconds for new commands, executing them using `Invoke-Expression`.
* **Screen Capturing:** The `Screen` command captures the desktop screenshot, uploads it to Imgur, and transmits the resulting URL back to the C2 server.
* **Security Software Enumeration:** The `Av` command queries WMI (`root\SecurityCenter2` namespace) to gather information about installed antivirus and security products.
### Advanced Features
* **Legitimate Remote Access Tool Integration:** Capable of silently downloading and installing legitimate remote access software, including **AnyDesk** (while hiding its window/tray icon) and **RUT-Serv**, to facilitate remote control.
* **In-Memory Execution:** Operators can leverage an accompanying **.NET loader** to execute PowerShell scripts directly in memory, enhancing evasion capabilities.
## Indicators of Compromise
- File Hashes: [Not provided in text]
- File Names: `pas.ps1` (PowerShell script)
- Registry Keys: [Not explicitly detailed, but persistence relies on Startup folder manipulation]
- Network Indicators: C2 communication involves polling the server with `?m`.
- Behavioral Indicators: Creation of shortcuts in the Startup folder; use of DLL hijacking targeting `ISP.exe`; WMI queries targeting `root\SecurityCenter2` for security product information; utilization of PowerShell for command execution and screenshot uploading to Imgur.
## Associated Threat Actors
- Ransomware groups (General association mentioned; no specific named groups provided).
## Detection Methods
- Signature-based detection: [Not detailed]
- Behavioral detection: Monitoring for the creation of shortcuts pointing to legitimate executables combined with malicious DLLs in trusted startup locations; detection of PowerShell scripts performing WMI queries against security namespaces; network traffic polling commands directed at C2 for command execution.
- YARA rules: [Not provided]
## Mitigation Strategies
- Prevention measures: Strict control over executable paths in the Startup folder; robust application whitelisting to prevent unauthorized execution of remote access tools (AnyDesk, RUT-Serv).
- Hardening recommendations: Monitoring and restricting WMI activity, especially from non-standard processes, related to security product enumeration; implementing DLL side-loading prevention techniques.
## Related Tools/Techniques
- Similar off-the-shelf post-exploitation malware used by various threat actors, valued for being cheaper and quicker to deploy than custom tools.