Its popularity and use is increasing.įigure 1: Differences between DarkSky versions Developers have been enhancing its functionality and released the latest version in December, 2017. On New Year’s Day, 2018, Radware witnessed a spike in different variants of the malware. It belongs to a set of tools including tutorials that allow any Internet user to launch denial-of-service attacks against any target.
One of these tools is the Anonymous Ping Attack program, which is freely available on the web and free to download. This is suspected to be the result of an increase in sales or testing of the newer version following its launch. The Anonymous group has been making its DoS programs available to the general public for years. However all communication requests were to the same host (“”), a strong indication of “testing” samples. Radware suspects the DarkSky botnet spreads via traditional means of infection such as exploit kits, spear phishing and spam emails. The server also has a “Check Host Availability” function to check if the DDoS attack succeeded. When the Darksky botnet malware performs a HTTP DDoS attack, it uses the HTTP structure seen below. In the binaries, Radware witnessed hard-coded lists of User-Agents and Referers that are randomly chosen when crafting the HTTP request.
After looking at the downloaded files from several different botnets, Radware noticed cryptocurrency-related activity where some of the files are simple Monero cryptocurrency miners and others are the latest version of the “1ms0rry” malware associated with downloading miners and cryptocurrencies.įigure 4: Darksky communication to the server The DarkSky botnet malware is capable of downloading malicious files from a remote server and executing the downloaded files on the infected machine. The Darksky botnet malware can turn the infected machine to a SOCKS/HTTP proxy to route traffic through the infected machine to a remote server. The Darksky botnet malware has a quick and silent installation with almost no changes on the infected machine.