Skitnet Malware (Bossnet)

Skitnet, also known as Bossnet, is a sophisticated multi-stage backdoor malware developed by the threat actor LARVA-306. First observed in early 2024, Skitnet has gained traction among ransomware groups such as Black Basta and Cactus for its stealthy post-exploitation capabilities. Written in Rust, Nim, and .NET, Skitnet employs advanced evasion techniques, including DNS-based command-and-control (C2) communication, DLL hijacking, and in-memory execution, making it a formidable threat to enterprise environments.

Threat Overview

Skitnet is a modular backdoor designed to establish persistent access, exfiltrate data, and facilitate the deployment of additional payloads. Its architecture allows attackers to maintain long-term control over compromised systems while evading traditional security measures.

Threat Summary

Attribute	Details
Threat Type	Trojan, Backdoor, Loader
Detection Names	Avast (Win64:MalwareX-gen [Misc]), Combo Cleaner (Trojan.GenericKD.74987887), ESET-NOD32 (A Variant Of Win64/Agent.EZM), Kaspersky (Backdoor.Win64.Agent.lkh), Microsoft (Trojan:Win32/Alevaul!rfn)
Symptoms	Typically silent; may include unusual network activity or unauthorized remote access
Damage	Credential theft, identity theft, unauthorized remote access, system compromise
Distribution Methods	Phishing emails, malicious advertisements, software cracks, social engineering
Danger Level	High
Removal Tool	SpyHunter

Technical Details

Infection Chain:

1. Initial Loader (Rust): The infection begins with a Rust-based executable that decrypts an embedded Nim binary using ChaCha20 encryption.
2. Second Stage (Nim Binary): The decrypted Nim payload establishes a DNS-based reverse shell, enabling communication with the C2 server.
3. Persistence Mechanism: Skitnet achieves persistence through DLL hijacking, leveraging a legitimate Asus executable (ISP.exe) to load a malicious DLL (SnxHidLib.DLL). This process triggers the execution of a PowerShell script (pas.ps1) that maintains communication with the C2 server.
4. Command Execution: The malware supports various commands, including:
   • startup: Ensures persistence by creating shortcuts in the Startup directory.
   • screen: Captures screenshots of the victim’s desktop.
   • anydesk / rutserv: Installs legitimate remote desktop tools silently.
   • shell: Executes PowerShell scripts hosted on remote servers.
   • av: Enumerates installed antivirus and security software.
5. Additional Payloads: Skitnet can deploy a .NET loader to execute further payloads, enhancing its capabilities for data exfiltration and system manipulation.

How Did I Get Infected?

Skitnet is primarily distributed through phishing emails containing malicious attachments or links, malicious online advertisements, and software cracks. Once the initial loader is executed, it decrypts and runs the embedded Nim binary, establishing a reverse shell and allowing attackers to gain control over the system.

What Does It Do?

Upon infection, Skitnet provides attackers with persistent access to the compromised system. It enables the execution of arbitrary commands, deployment of additional malware, data exfiltration, and installation of remote desktop tools for further control. Its stealthy communication methods and persistence mechanisms make it difficult to detect and remove.

Should You Be Worried About Your System?

Yes. Skitnet poses a significant threat due to its advanced evasion techniques and ability to maintain long-term access to infected systems. It can lead to severe consequences, including data breaches, identity theft, and financial losses. Immediate action is required to detect and remove this malware from your system.

Manual Trojan Malware Removal Guide

Step 1: Boot into Safe Mode

1. Restart your computer.
2. Before Windows starts, press the F8 key (or Shift + F8 on some systems).
3. Select Safe Mode with Networking from the Advanced Boot Options menu.
4. Press Enter to boot.

This prevents the Trojan from running and makes it easier to remove.

---

Step 2: Identify and Stop Malicious Processes

1. Press Ctrl + Shift + Esc to open Task Manager.
2. Go to the Processes tab (or Details in Windows 10/11).
3. Look for suspicious processes using high CPU or memory, or with unfamiliar names.
4. Right-click on the suspicious process and select Open File Location.
5. If the file is in a temporary or system folder and looks unfamiliar, it is likely malicious.
6. Right-click the process and choose End Task.
7. Delete the associated file in File Explorer.

---

Step 3: Remove Trojan-Related Files and Folders

1. Press Win + R, type %temp%, and press Enter.
2. Delete all files in the Temp folder.
3. Also check these directories for unfamiliar or recently created files:
   • C:\Users\YourUser\AppData\Local\Temp
   • C:\Windows\Temp
   • C:\Program Files (x86)
   • C:\ProgramData
   • C:\Users\YourUser\AppData\Roaming
4. Delete suspicious files or folders.

---

Step 4: Clean Trojan Malware from Registry

1. Press Win + R, type regedit, and press Enter.
2. Navigate to the following paths:
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3. Look for entries launching files from suspicious locations.
4. Right-click and delete any entries you don’t recognize.

Warning: Editing the registry can harm your system if done improperly. Proceed with caution.

---

Step 5: Reset Browser Settings

Google Chrome

1. Go to Settings > Reset Settings.
2. Click Restore settings to their original defaults and confirm.

Mozilla Firefox

1. Go to Help > More Troubleshooting Information.
2. Click Refresh Firefox.

Microsoft Edge

1. Go to Settings > Reset settings.
2. Click Restore settings to their default values.

---

Step 6: Run a Full Windows Defender Scan

1. Open Windows Security via Settings > Update & Security.
2. Click Virus & threat protection.
3. Choose Scan options, select Full scan, and click Scan now.

---

Step 7: Update Windows and Installed Software

1. Press Win + I, go to Update & Security > Windows Update.
2. Click Check for updates and install all available updates.

---

Automatic Trojan Removal Using SpyHunter

If manually removing the Trojan seems difficult or time-consuming, using SpyHunter is the recommended method. SpyHunter is an advanced anti-malware tool that detects and eliminates Trojan infections effectively.

Step 1: Download SpyHunter

Use the following official link to download SpyHunter: Download SpyHunter

For full instructions on how to install, follow this page: Official SpyHunter Download Instructions

---

Step 2: Install SpyHunter

1. Locate the SpyHunter-Installer.exe file in your Downloads folder.
2. Double-click the installer to begin setup.
3. Follow the on-screen prompts to complete the installation.

---

Step 3: Scan Your System

1. Open SpyHunter.
2. Click Start Scan Now.
3. Let the program detect all threats, including Trojan components.

---

Step 4: Remove Detected Malware

1. After the scan, click Fix Threats.
2. SpyHunter will automatically quarantine and remove all identified malicious components.

---

Step 5: Restart Your Computer

Restart your system to ensure all changes take effect and the threat is completely removed.

---

Tips to Prevent Future Trojan Infections

• Avoid downloading pirated software or opening unknown email attachments.
• Only visit trusted websites and avoid clicking on suspicious ads or pop-ups.
• Use a real-time antivirus solution like SpyHunter for ongoing protection.
• Keep your operating system, browsers, and software up to date.

Conclusion

Skitnet represents a new wave of sophisticated backdoor malware that combines advanced programming techniques with stealthy communication methods. Its adoption by prominent ransomware groups underscores the importance of robust cybersecurity measures and user awareness. Regular system scans with reputable anti-malware tools like SpyHunter are essential to detect and eliminate such threats.