DarkSky botnet spotted evading security measures
DarkSky botnet spotted evading security measures

A new botnet has been discovered by security researchers that has anti-virtual machine capabilities to evade security controls such as a sandbox.

According to a report released by Radware, the malware, dubbed DarkSky, features several evasion mechanisms, a malware downloader and a variety of network- and application-layer DDoS attack vectors. The company said that the bot is now available for sale for less than US$ 20 (£15) over the Darknet.

According to Yuval Shapira a security researcher at Radware, DarkSky  is capable of running under Windows XP/7/8/10, both x32 and x64 versions, and has anti-virtual machine capabilities to evade security controls such as a sandbox, thereby allowing it to only infect ‘real' machines.

The company has been tracking the malware since its early versions in May 2017. Shapira said that developers of the malware have been enhancing its functionality and released the latest version in December 2017. He added that its popularity and use is increasing.

According to Shapira, the bot is suspected of spreading via traditional means of infection such as exploit kits, spear phishing and spam emails.

It can perform DDoS attacks using several vectors, such as DNS Amplification, TCP (SYN) Flood, UDP Flood, and HTTP Flood attacks. The server the malware communicates with also has a “Check Host Availability” function to check if the DDoS attack succeeded.

DarkSky can download malicious files from a remote server and executing the downloaded files on the infected machine. 

“After looking at the downloaded files from several different botnets, Radware noticed cryptocurrency-related activity where some of the files are simple Monero cryptocurrency miners and others are the latest version of the “1ms0rry” malware associated with downloading miners and cryptocurrencies,” said Shapira.

The malware can turn the infected machine to a SOCKS/HTTP proxy to route traffic through the infected machine to a remote server.

Shapira said that the malware installs silently with almost no changes on the infected machine. To ensure persistence on the infected machine it will either create a new key under the registry path “RunOnce” or create a new service on the system.

“When the malware executes, it will generate an HTTP GET request to “/activation.php?key=” with a unique User-Agent string “2zAz.” The server will then respond with a “Fake 404 Not Found” message if there are no commands to execute on the infected machine,” he said.

When DarkSky executes it will perform several anti-virtual machine checks looking for instances of VMware, Vbox and Sandboxie. It will also look for the Syser kernel debugger.

Shapira said that organisations should protect against the malware by using hybrid DDoS protection, behavioural-based detection, real-time signature creation, and a cybersecurity emergency response plan.

Fraser Kyne, EMEA CTO, Bromium, told SC Media UK that malware writers are increasingly proficient at avoiding detection and evading tools like sandboxes. 

“You're relying on detection to determine whether something is good or bad. This is a cat and mouse game; and the bad guys are winning. Also, typically sandboxes are software abstractions running within the OS. Unfortunately, you can't robustly protect Windows in Windows. The attack surface is too big; including the kernel itself. Microsoft themselves realise this, which is why they are increasingly focusing on Virtualisation Based Security in Windows 10,” he said. 

Caleb Fenton, Threat Team lead at SentinelOne, told SC Media UK that ultimately, no security product can perfectly defend against all attacks.

“The industry is moving towards providing  network administrators with visibility into their own networks and endpoints which empowers them to suss out potential intrusions and infected machines. This means in the worst case where a security product misses an infection, the administrators still have a chance of detecting and dealing with the problem before it spreads and does more damage,” he said.