DarkSky Botnet

Radware’s Threat Research has recently discovered a new botnet, dubbed DarkSky. DarkSky features several evasion mechanisms, a malware downloader and a variety of network- and application-layer DDoS attack vectors. This bot is now available for sale for less than $20 over the Darknet.

As published by its authors, this malware is capable of running under Windows XP/7/8/10, both x32 and x64 versions, and has anti-virtual machine capabilities to evade security controls such as a sandbox, thereby allowing it to only infect ‘real’ machines.


Radware has been monitoring this malware since its early versions in May, 2017. Developers have been enhancing its functionality and released the latest version in December, 2017. Its popularity and use is increasing.

On New Year’s Day, 2018, Radware witnessed a spike in different variants of the malware. This is suspected to be the result of an increase in sales or testing of the newer version following its launch. However all communication requests were to the same host (“http://injbot.net/”), a strong indication of “testing” samples.

Infection Methods

Radware suspects the bot spreads via traditional means of infection such as exploit kits, spear phishing and spam emails.


  1. Perform DDoS Attack:

The malware is capable of performing DDoS attacks using several vectors:

  • DNS Amplification
  • TCP (SYN) Flood
  • UDP Flood
  • HTTP Flood
Figure 2: DarkSky attack panel

The server also has a “Check Host Availability” function to check if the DDoS attack succeeded. When the malware performs HTTP DDoS attack, it uses the HTTP structure seen below. In the binaries, Radware witnessed hard-coded lists of User-Agents and Referers that are randomly chosen when crafting the HTTP request.

Figure 3: HTTP structure
  1. Downloader

The malware is capable of downloading malicious files from a remote server and executing the downloaded files on the infected machine. After looking at the downloaded files from several different botnets, Radware noticed cryptocurrency-related activity where some of the files are simple Monero cryptocurrency miners and others are the latest version of the “1ms0rry” malware associated with downloading miners and cryptocurrencies.

Figure 4: Darksky communication to the server
  1.  Proxy

The malware can turn the infected machine to a SOCKS/HTTP proxy to route traffic through the infected machine to a remote server.

[You might also like: JenX – Los Calvos de San Calvicie]

Malware Behavior

The malware has a quick and silent installation with almost no changes on the infected machine. To ensure persistence on the infected machine it will either create a new key under the registry path “RunOnce” or create a new service on the system:

  1. HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Registry Driver
  2. HKLM\System\CurrentControlSet\Services\Icon Codec Service\


When the malware executes, it will generate an HTTP GET request to “/activation.php?key=” with a unique User-Agent string “2zAz.” The server will then respond with a “Fake 404 Not Found” message if there are no commands to execute on the infected machine.

Figure 5: Example of HTTP GET request and 404 Not Found

Communication Obfuscation Example

The GET request param value is base64 encrypted.

The final readable string contains infected machine information as well as user information. When a new command is sent from the server “200 OK,” a response return is executed with the request to download a file from the server or execute a DDoS attack (see Figure below).


When the malware executes it will perform several anti-virtual machine checks:

  1. VMware:
    1. Dbghelp.dll
    2. Software\Microsoft\ProductId != 76487-644-3177037-23510
  2. Vbox:
    1. VBoxService.exe
    2. VBoxHook.dll
  3. Sandboxie
    1. SbieDll.dll

It will also look for the Syser kernel debugger presence searching for the following devices:

  1. \\.\Syser
  2. \\.\SyserDbgMsg
  3. \\.\SyserBoot

[You might also like: Malware and Botnet Attack Services Found on the Darknet]


Effective DDoS Protection Essentials

  • Hybrid DDoS Protection – On-premise and cloud DDoS protection for real-time DDoS attack prevention that also addresses high volume attacks and protects from pipe saturation
  • Behavioral-Based Detection – Quickly and accurately identify and block anomalies while allowing legitimate traffic through
  • Real-Time Signature Creation – Promptly protect from unknown threats and zero-day attacks
  • A Cyber-Security Emergency Response Plan – A dedicated emergency team of experts who have experience with Internet of Things security and handling IoT outbreaks
  • Intelligence on Active Threat Actors – high fidelity, correlated and analyzed date for preemptive protection against currently active known attackers.

For further network and application protection measures, Radware urges companies to inspect and patch their network in order to defend against risks and threats.

Learn More at DDoS Warriors

To know more about today’s attack vector landscape, understand the business impact of cyber-attacks or learn more about emerging attack types and tools visit DDoSWarriors.com. Created by Radware’s Emergency Response Team (ERT), it is the ultimate resource for everything security professionals need to know about DDoS attacks and cyber security.

Read “2017-2018 Global Application & Network Security Report” to learn more.

Download Now

Yuval Shapira

Yuval Shapira is a Research Lab Team Leader in Radware's Cloud Native Protector (CNP) group. Yuval has over 10 years of experience in security research, including malware analysis and cloud security.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center