Radware’s Threat Research has recently discovered a new botnet, dubbed DarkSky. DarkSky features several evasion mechanisms, a malware downloader and a variety of network- and application-layer DDoS attack vectors. This bot is now available for sale for less than $20 over the Darknet.
As published by its authors, this malware is capable of running under Windows XP/7/8/10, both x32 and x64 versions, and has anti-virtual machine capabilities to evade security controls such as a sandbox, thereby allowing it to only infect ‘real’ machines.
Radware has been monitoring this malware since its early versions in May, 2017. Developers have been enhancing its functionality and released the latest version in December, 2017. Its popularity and use is increasing.
On New Year’s Day, 2018, Radware witnessed a spike in different variants of the malware. This is suspected to be the result of an increase in sales or testing of the newer version following its launch. However all communication requests were to the same host (“http://injbot.net/”), a strong indication of “testing” samples.
Radware suspects the bot spreads via traditional means of infection such as exploit kits, spear phishing and spam emails.
- Perform DDoS Attack:
The malware is capable of performing DDoS attacks using several vectors:
- DNS Amplification
- TCP (SYN) Flood
- UDP Flood
- HTTP Flood
The server also has a “Check Host Availability” function to check if the DDoS attack succeeded. When the malware performs HTTP DDoS attack, it uses the HTTP structure seen below. In the binaries, Radware witnessed hard-coded lists of User-Agents and Referers that are randomly chosen when crafting the HTTP request.
The malware is capable of downloading malicious files from a remote server and executing the downloaded files on the infected machine. After looking at the downloaded files from several different botnets, Radware noticed cryptocurrency-related activity where some of the files are simple Monero cryptocurrency miners and others are the latest version of the “1ms0rry” malware associated with downloading miners and cryptocurrencies.
The malware can turn the infected machine to a SOCKS/HTTP proxy to route traffic through the infected machine to a remote server.
The malware has a quick and silent installation with almost no changes on the infected machine. To ensure persistence on the infected machine it will either create a new key under the registry path “RunOnce” or create a new service on the system:
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Registry Driver
- HKLM\System\CurrentControlSet\Services\Icon Codec Service\
When the malware executes, it will generate an HTTP GET request to “/activation.php?key=” with a unique User-Agent string “2zAz.” The server will then respond with a “Fake 404 Not Found” message if there are no commands to execute on the infected machine.
Communication Obfuscation Example
The GET request param value is base64 encrypted.
The final readable string contains infected machine information as well as user information. When a new command is sent from the server “200 OK,” a response return is executed with the request to download a file from the server or execute a DDoS attack (see Figure below).
When the malware executes it will perform several anti-virtual machine checks:
- Software\Microsoft\ProductId != 76487-644-3177037-23510
It will also look for the Syser kernel debugger presence searching for the following devices:
Effective DDoS Protection Essentials
- Hybrid DDoS Protection – On-premise and cloud DDoS protection for real-time DDoS attack prevention that also addresses high volume attacks and protects from pipe saturation
- Behavioral-Based Detection – Quickly and accurately identify and block anomalies while allowing legitimate traffic through
- Real-Time Signature Creation – Promptly protect from unknown threats and zero-day attacks
- A Cyber-Security Emergency Response Plan – A dedicated emergency team of experts who have experience with Internet of Things security and handling IoT outbreaks
- Intelligence on Active Threat Actors – high fidelity, correlated and analyzed date for preemptive protection against currently active known attackers.
For further network and application protection measures, Radware urges companies to inspect and patch their network in order to defend against risks and threats.
Learn More at DDoS Warriors
To know more about today’s attack vector landscape, understand the business impact of cyber-attacks or learn more about emerging attack types and tools visit DDoSWarriors.com. Created by Radware’s Emergency Response Team (ERT), it is the ultimate resource for everything security professionals need to know about DDoS attacks and cyber security.
Read “2017-2018 Global Application & Network Security Report” to learn more.
Yuval Shapira is a Security Researcher, focused on Malware Research and Cloud Security.