DarkSky Botnet

DarkSky is a botnet that can perform distributed denial of service (DDoS) attacks, download malicious files and turn devices into proxies for carrying further malicious traffic.

Threat ID:: CC-2038
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 14 February 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

DarkSky is a botnet that can perform distributed denial of service (DDoS) attacks, download malicious files and turn devices into proxies for carrying further malicious traffic.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - all versions

Threat details

The malware has been under active development since May 2017 and is publicly available to threat actors for a fee. It is believed to spread via exploit kits, spear phishing and spam emails.

Infection with DarkSky can be difficult to notice as it installs quickly and silently, with very few changes to the compromised device. To maintain persistence on the device it either creates a new key under the registry path 'RunOnce' or creates a new service on the system.

When a device has been infected, it produces a HTTP GET request to the Command and Control Server at /activation.php?key= with the unique User-Agent string 2zAz.

The device can be remotely controlled by the attacker to perform DDoS attacks using a variety of methods and then check if the attack has succeeded. DarkSky can also download and execute malicious files from a remote server, including keyloggers and cryptocurrency mining malware. It can also run a SOCKS/HTTP proxy to route traffic through the infected device to a remote server.

DarkSky features several security evasion techniques including anti-virtual machine capabilities and checks for other security tools.

Remediation advice

To prevent, detect and mitigate an infection, ensure that:

Remediation steps

Type	Step
	A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, antivirus and other security products are kept up to date. All day to day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place and password reuse is discouraged. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from infected machines should be reset on a clean computer. Effective DDoS protection is in place including hybrid DDoS protection, behavioural based detection and real-time signature creation.

Type

Step

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, antivirus and other security products are kept up to date.
All day to day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place and password reuse is discouraged.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from infected machines should be reset on a clean computer.
Effective DDoS protection is in place including hybrid DDoS protection, behavioural based detection and real-time signature creation.

Last edited: 17 February 2020 12:41 pm