“The author (of the malware) sells both the server code and the malware itself,” researchers added. “The server automatically wipes SSH connection logs, IP addresses, command history logs, and cache, to avoid leaving any traces that could be used in forensic investigation.”
Additional commands for remote access
Skitnet also has commands to quietly install and launch signed versions of remote desktop tools like AnyDesk or RUT, allowing attackers to gain remote access to infected systems.
“The inclusion of remote access capabilities via AnyDesk and RUT-Serv, along with commands for data exfiltration and security product enumeration, highlights the malware’s versatility,” researchers said. “Skitnet’s persistence mechanisms, including DLL hijacking and PowerShell-based execution, ensure that it remains active on compromised systems.”
