Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label PowerShell malware. Show all posts
Skitnet
Cyber Defender Cyber Surge Cyberattacks Cybersecurity CyberThreat EDR malware PowerShell malware RAMP Ransomware Security Audits Skitnet

Surge in Skitnet Usage Highlights Evolving Ransomware Tactics

 


Today’s cyber threat landscape is rapidly evolving, making it increasingly difficult for adversaries to tell the difference between traditional malware families, as adversaries combine their capabilities to maximise their impact. Skitnet, an advanced multistage post-exploitation toolkit, is one of the best examples of this convergence, as it emerged as an evolution of the legacy Skimer malware, a sophisticated multi-stage post-exploitation toolkit. 

Skitnet, which was once used as a tool for skimming card information from ATMs, has been repurposed as one of the strongest weapons in the arsenal of advanced ransomware groups, notably Black Basta. In the last few months, it has appeared again as part of a larger tactical shift aimed at focusing on stealth, persistent access, data exfiltration, and support for double extortion ransomware campaigns that move away from singular objectives like financial theft. 

Since April 2024, Skitnet, which is also known as Bossnet in some underground circles, has been actively traded on darknet forums like RAMP, with a noticeable uptake noticed among cybercriminals by early 2025. This version has an enterprise-scale modular architecture, unlike its predecessor, which allows it to operate at an enterprise scale. 

There is no need to worry about fileless execution, DNS-based communication for command-and-control (C2), system persistence, or seamless integration with legitimate remote management tools like PowerShell or AnyDesk to use it. Through this flexibility, attackers can continue to remain covert inside targeted environments for extended periods of time without being noticed. 

In addition to being a threat to enterprises, Skitnet has also been deployed through sophisticated phishing campaigns that attempt to duplicate trusted enterprise platforms such as Microsoft Teams, thus allowing threat actors to use social engineering as a primary vector for gaining access to networks and systems. 

Moreover, this evolution demonstrates the growing commoditization of post-exploitation toolkits on underground markets, which offers a leading indicator of how ransomware groups are utilising increasingly advanced malware to refine their tactics and enhance the overall efficiency of their operations. 

According to recent threat intelligence findings, multiple ransomware groups are now actively integrating Skitnet into their post-exploitation toolkits in order to facilitate data theft, maintain persistent remote access to compromised enterprise systems, and reinforce control over compromised enterprise systems as well as facilitate after-exploitation data theft. Skitnet began circulating in underground forums like RAMP as early as April 2024, but its popularity skyrocketed by early 2025, when several prominent ransomware actors began leveraging its use in active campaigns to target consumers.

Several experts believe that Skitnet will end up being a major ransomware threat to the public shortly. The ransomware group Black Basta, for instance, was seen using Skitnet as part of phishing campaigns mimicking Microsoft Teams communications in April of 2025, an increasingly common technique that exploits the trust of employees towards workplace collaboration tools. 

The Skitnet campaign targets enterprise environments, where its stealth capabilities and modular design make it possible for the attacker to deep infiltrate and stay active for a long time. PRODAFT is tracking Skitnet as LARVA-306, the threat actor designated by the organisation. Skitnet, also known in underground circles by Bossnet, is a multi-stage malware platform designed to be versatile and evasive in nature. 

A unique feature of this malware is its use of Rust and Nim, two emerging programming languages in the malware development community, to craft payloads that are highly resistant to detection. By initiating a reverse shell via the DNS, the malware bypasses traditional security monitoring and allows attackers to remain in communication with the command-and-control infrastructure and maintain covert communications. 

Further increasing Skitnet's threat potential are its robust persistence mechanisms, the ability to integrate with legitimate remote access tools, and the ability to exfiltrate data built into its software. The .NET loader binary can also be retrieved and executed by the server, which serves as a mechanism to deliver additional payloads to the machine, thus increasing its operational flexibility. 

As described on dark web forums, Skitnet is a “compact package” comprised of a server component as well as a malware payload that is easy to deploy. As a result of Skitnet's technical sophistication and ease of deployment, it continues to be a popular choice among cybercriminals looking for scalable, stealthy, and effective post-exploitation tools. 

There is a modular architecture built into Skitnet, with a PowerShell-based dropper that decodes and executes the core loader in a centralised manner. Using HTTP POST requests with AES-encrypted payloads, the loader retrieves task-specific plugins from hardcoded command-and-control servers that are hardcoded. One of its components is skitnel.dll, which makes it possible to execute in memory while maintaining the persistence of the system through built-in mechanisms.

Researchers have stated that Skitnet's plugin ecosystem includes modules that are dedicated to the harvesting of credentials, escalation of privileges, and lateral movement of ransomware, which allow threat actors to tailor their attacks to meet the strategic objectives and targets of their attacks. It is clear from the infection chain that Skitnet is a technical advancement in the post-exploitation process, beginning with the execution of a Rust-based loader on compromised hosts. 

With this loader, a Nim binary that is encrypted with ChaCha20 is decrypted and then loaded directly into memory, allowing the binary to be executed stealthily, without the need for traditional detection mechanisms. The Nim-based payload establishes a reverse shell through a DNS-based DNS request, utilising randomised DNS queries to initiate covert communications with the command-and-control (C2) infrastructure as soon as it is activated. 

To carry out its core functions, the malware then launches three different threads to manage its core functions: one thread takes care of periodic heartbeat signals, another thread monitors and extracts shell output, and yet another thread monitors and decrypts responses received over DNS, and the third thread listens for incoming instructions. Based on the attacker's preferences set within the Skitnet C2 control panel, command execution and C2 communication are dynamically managed, using either HTTP or DNS protocols. 

Through the web-based interface, operators can view infected endpoints in real-time, view their IP address, their location, and their system status, as well as remotely execute command-line commands with precision, in real time. As a result of Skitnet's level of control, it has become a very important tool in modern ransomware campaigns as a highly adaptable and covert post-exploitation tool. 

As opposed to custom-built malware created just for specific campaigns, Skitnet is openly traded on underground forums, offering a powerful post-exploitation solution to cyber criminals of all sorts. The stealth characteristics of this product, as well as minimal detection rates and ease of deployment, make it an attractive choice for threat actors looking to maximise performance and maintain operational covertness. With this ready accessibility, the technical barrier to executing sophisticated attacks is dramatically reduced. 

Real-World Deployments by Ransomware Groups


There is no doubt in my mind that Skitnet is not just a theoretical concept. Security researchers have determined that it has been used in actual operations conducted by ransomware groups such as Black Basta and Cactus, as well as in other real-life situations. 

As part of their phishing campaigns, actors have impersonated Microsoft Teams to gain access to enterprise environments. In these attacks, Skitnet has successfully been deployed, highlighting its growing importance among ransomware threats. 

Defensive Measures Against Skitnet 


Skitnet poses a significant risk to organisations. Organisations need to adopt a proactive and layered security approach to mitigate these risks. Key recommendations are as follows: 

DNS Traffic Monitoring: Identify and block unusual or covert DNS queries that might be indicative of an activity like command and control. 

Endpoint Detection and Response (EDR) Use advanced EDR tools to detect and investigate suspicious behaviour associated with Rust and Nim-based payloads. Often, old antivirus solutions are unable to detect these threats. 

PowerShell Execution Restrictions: PowerShell should be limited to only be used in situations that prevent unauthorised script execution and minimise the risk of a fileless malware attack. 

Regular Security Audits Continually assess and manage vulnerabilities to prevent malware like Skitnet from entering the network and exploiting them, as well as administer patches as needed. 

The Growing Threat of Commodity Malware 


In the context of ransomware operations, Skitnet represents the evolution of commodity malware into a strategic weapon. As its presence in cybercrime continues to grow, organisations are required to stay informed, agile, and ready to fight back. To defend against this rapidly evolving threat, it is crucial to develop resilience through threat intelligence, technical controls, and user awareness. 

Often times, elite ransomware groups invest in creating custom post-exploitation toolsets, but they take a considerable amount of time, energy, and resources to develop them—factors that can restrict operational agility. Skitnet, on the other hand, is a cost-effective, prepackaged alternative that is not only easy to deploy but also difficult to attribute, as it is actively distributed among a wide range of threat actors. 

A broad distribution of incidents further blurs attribution lines, making it more difficult to identify threat actors and respond to incidents. The cybersecurity firm Prodaft has published on GitHub associated Indicators of Compromise (IoCs) related to incident response. As a result of Skitnet's plug-and-play architecture and high-impact capabilities, it is particularly appealing to groups that wish to achieve strategic goals with minimal operational overhead in terms of performance and operational efficiency. 

According to Prodaft in its analysis, Skitnet is particularly attractive for groups that are trying to maximise impact with the lowest overhead. However, in spite of the development of antivirus evasion techniques for custom-made malware, the affordability, modularity, and stealth features of Skitnet continue to drive its adoption in the marketplace. 

Despite the fact that it is a high-functioning off-the-shelf tool, its popularity in the ransomware ecosystem illustrates a growing trend that often outweighs bespoke development when attempting to achieve disruptive outcomes. As ransomware tactics continue to evolve at an explosive rate, the advent and widespread adoption of versatile toolkits like Skitnet are a stark reminder of how threat actors have been continually refining their methods in order to outpace traditional security measures. 

A holistic and proactive cybersecurity posture is vital for organisations to adopt to protect themselves from cyber threats and evade detection, one that extends far beyond basic perimeter defences and incorporates advanced threat detection, continuous monitoring, and rapid incident response capabilities. To detect subtle indicators of compromise that commodity malware like Skitnet exploits to maintain persistence and evade detection, organisations should prioritise integrating behavioural analytics and threat intelligence. 

It is also vital to foster an awareness of cybersecurity risks among employees, particularly when it comes to the risks associated with phishing and social engineering, to close the gap in human intelligence that is often the first attack vector employed by cybercriminals. Organisations must be able to protect themselves from sophisticated post-exploitation tools through multilayered defence strategies combining technology, processes, and people, enabling them to not only detect and mitigate the current threats but also adapt to emerging cyber risks in an ever-changing digital environment with rapidity.
Read more »
Windows malware
fake error messages malware PowerShell malware ransomware distribution social engineering attacks Windows malware

Crafty Criminals Use Fake Error Messages to Deploy Malware via PowerShell

 

Criminals are targeting thousands of organizations worldwide with social engineering attacks that use fake error messages to trick users into running malicious PowerShell scripts.

This new Windows malware campaign uses bogus error messages from Google Chrome, Microsoft Word, and OneDrive that appear legitimate. When victims visit a compromised website, they encounter a pop-up error message in their browser. This tactic, although old, remains highly effective. It's crucial to be aware of this trick to prevent others from falling for it.

Victims are instructed to click a "fix" button and paste the displayed code into a PowerShell terminal or Windows Run dialog box. This action allows PowerShell to execute another remote script that downloads and installs malware on the victim's computer.

Proofpoint malware researchers have identified at least two criminal groups using this method. One of these groups is likely using it to spread ransomware.

"Although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk," stated Tommy Madjar, Dusty Miller, and Selena Larson in a recent report.

Proofpoint discovered a group named TA571 employing this PowerShell technique as early as March 1, and another gang behind the ClearFake malware campaign has been using it since early April. Both groups were still active in early June, and a third campaign, dubbed ClearFix, has been testing it out since at least May.

In these attacks, users visit a compromised website that loads a malicious script hosted on the blockchain via Binance's Smart Chain contracts, known as EtherHiding. This script then triggers a fake warning box in the browser, prompting the victim to install a "root certificate" to fix a fictitious problem.

The warning message includes instructions to copy a PowerShell script and run it manually. This script flushes the DNS cache, clears the clipboard, displays a decoy message, and then downloads and executes a remote PowerShell script.

The remote script conducts Windows Management Instrumentation checks and then deploys Lumma Stealer malware, which downloads three payloads:

am.exe – Amadey Loader
ma.exe – A downloader that installs the XMRig cryptocurrency miner with a specific configuration
cl.exe – A clipboard hijacker that replaces cryptocurrency addresses in the clipboard to redirect funds to the threat actor's address during transactions
In some cases, the Amadey malware also downloads additional malware, including a Go-based threat believed to be JaskaGo, which can target both Windows and macOS systems.

"This means that in total, five distinct malware families could be executed just by running the one initial PowerShell script," the researchers noted.

The ClearFix campaign used a similar tactic. Attackers employed a compromised website with an iframe overlay, displaying a Google Chrome error message instructing users to open "Windows PowerShell (Admin)" and paste malicious code, ultimately leading to the Vidar Stealer being downloaded and executed.

In another campaign attributed to TA571, the group sent out over 100,000 phishing emails to thousands of organizations globally. These emails contained a malicious HTML attachment disguised as a Microsoft Word page, displaying an error message about the "Word Online extension not being installed," and offering two options: "How to fix" and "Auto-fix."

Clicking "How to fix" copies a Base64-encoded PowerShell command to the clipboard, instructing the user to open PowerShell and paste the command. The "Auto-fix" button uses the search-ms protocol to display a WebDAV-hosted "fix.msi" or "fix.vbs" file.

Executing the MSI file installs Matanbuchus, another malware loader, while the VBS file downloads and runs the DarkGate attack code.

"Proofpoint assesses with high confidence that TA571 infections can lead to ransomware," the researchers said, noting that this group continually modifies its email lures and attack chains.

The security firm also provided examples of indicators of compromise and advised organizations to train employees to recognize and report suspicious activity, particularly social engineering attacks of this nature. 
Read more »
Subscribe to: Posts (Atom)