DarkSky Botnet


February 7, 2018 02:00 PM

Radware’s Threat Research has recently discovered a new botnet, dubbed DarkSky.

Download a Copy Now

Abstract

Radware’s Threat Research has recently discovered a new botnet, dubbed DarkSky. DarkSky botnet features several evasion mechanisms, a malware downloader and a variety of network- and application-layer DDoS attack vectors. This bot is now available for sale for less than $20 over the Darknet.

As published by its authors, this malware is capable of running under Windows XP/7/8/10, both x32 and x64 versions, and has anti-virtual machine capabilities to evade security controls such as a sandbox, thereby allowing it to only infect ‘real’ machines.

Background

Radware has been monitoring the DarkSky botnet malware since its early versions in May, 2017. Developers have been enhancing its functionality and released the latest version in December, 2017. Its popularity and use is increasing.

Figure 1: Differences between DarkSky versions

On New Year’s Day, 2018, Radware witnessed a spike in different variants of the malware. This is suspected to be the result of an increase in sales or testing of the newer version following its launch. However all communication requests were to the same host (“http://injbot.net/”), a strong indication of “testing” samples.

Infection Methods

Radware suspects the DarkSky botnet spreads via traditional means of infection such as exploit kits, spear phishing and spam emails.

Capabilities

1. Perform DDoS Attack:

The malware is capable of performing DDoS attacks using several vectors:

  • DNS Amplification
  • TCP (SYN) Flood
  • UDP Flood
  • HTTP Flood

Figure 2: DarkSky attack panel

The server also has a “Check Host Availability” function to check if the DDoS attack succeeded. When the Darksky botnet malware performs a HTTP DDoS attack, it uses the HTTP structure seen below. In the binaries, Radware witnessed hard-coded lists of User-Agents and Referers that are randomly chosen when crafting the HTTP request.

Figure 3: HTTP structure

2. Downloader

The DarkSky botnet malware is capable of downloading malicious files from a remote server and executing the downloaded files on the infected machine. After looking at the downloaded files from several different botnets, Radware noticed cryptocurrency-related activity where some of the files are simple Monero cryptocurrency miners and others are the latest version of the “1ms0rry” malware associated with downloading miners and cryptocurrencies.

Figure 4: Darksky communication to the server

3. Proxy

The Darksky botnet malware can turn the infected machine to a SOCKS/HTTP proxy to route traffic through the infected machine to a remote server.

Malware Behavior

The Darksky botnet malware has a quick and silent installation with almost no changes on the infected machine. To ensure persistence on the infected machine it will either create a new key under the registry path “RunOnce” or create a new service on the system:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Registry Driver
  • HKLM\System\CurrentControlSet\Services\Icon Codec Service\

Communication

When the Darksky botnet malware executes, it will generate an HTTP GET request to “/activation.php?key=” with a unique User-Agent string “2zAz.” The server will then respond with a “Fake 404 Not Found” message if there are no commands to execute on the infected machine.

Figure 5: Example of HTTP GET request and 404 Not Found

Communication Obfuscation Example

The GET request param value is base64 encrypted.

The final readable string contains infected machine information as well as user information. When a new command is sent from the server “200 OK,” a response return is executed with the request to download a file from the server or execute a DDoS attack (see Figure below).

Figure 6

Evasion

When the DarkSky botnet malware executes it will perform several anti-virtual machine checks:

  1. VMware:
    1. i) Dbghelp.dll
    2. ii) Software\Microsoft\ProductId != 76487-644-3177037-23510
  2. Vbox:
    1. i) VBoxService.exe
    2. ii) VBoxHook.dll
  3. Sandboxie
    1. i) SbieDll.dll

It will also look for the Syser kernel debugger presence searching for the following devices:

  1. \\.\Syser
  2. \\.\SyserDbgMsg
  3. \\.\SyserBoot

Figure 7: Indicators of Compromise

Effective DDoS Protection Essentials

  • Hybrid DDoS Protection - On-premise and DDoS protection cloud DDoS protection for real-time DDoS attack prevention that also addresses high volume attacks and protects from pipe saturation
  • Behavioral-Based Detection - Quickly and accurately identify and block anomalies while allowing legitimate traffic through
  • Real-Time Signature Creation - Promptly protect from unknown threats and zero-day attacks
  • A Cyber-Security Emergency Response Plan - A dedicated emergency team of experts who have experience with Internet of Things security and handling IoT outbreaks
  • Intelligence on Active Threat Actors – high fidelity, correlated and analyzed date for preemptive protection against currently active known attackers.

For further network and application protection measures, Radware urges companies to inspect and patch their network in order to defend against risks and threats.

Effective Web Application Security Essentials

  • Full OWASP Top-10 coverage against defacements, injections, etc.
  • Low false positive rate – using negative and positive security models for maximum accuracy
  • Auto policy generation capabilities for the widest coverage with the lowest operational effort
  • Bot protection and device fingerprinting capabilities to overcome dynamic IP attacks and achieving improved bot detection and blocking
  • Securing APIs by filtering paths, understanding XML and JSON schemas for enforcement, and activity tracking mechanisms to trace bots and guard internal resources
  • Flexible deployment options - on-premise, out-of-path, virtual or cloud-based

Under Attack and in Need of Expert Emergency Assistance? Radware Can Help

Radware offers a DDoS protection service to help respond to security emergencies, neutralize the risk and better safeguard operations before irreparable damages occur. If you’re under DDoS attack or malware outbreak and in need of emergency assistance, contact us with the code "Red Button."

Click here to download a copy of the ERT Threat Alert.

Download Now

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
CyberPedia