Discovered by Radware Threat Research, DarkSky is a botnet that is capable of downloading malware, conducting a number of network and application-layer distributed denial-of-service (DDoS) attacks, and detecting and evading security controls, such as sandboxes and virtual machines. It is advertised for sale on the dark web for $20. Much of the malware that DarkSky has available to download onto targeted systems is associated with cryptocurrency-mining activity. The DDoS attacks that DarkSky can perform include DNS amplification attacks, TCP (SYN) flood, UDP flood, and HTTP flood. The botnet can also perform a check to determine whether or not the DDoS attack succeeded and turn infected systems into a SOCKS/HTTP proxy to route traffic to a remote server.
To mitigate persistent DDoS threats, the NJCCIC recommends organizations consider establishing a support relationship with their Internet Service provider (ISP) as well as a third-party DDoS mitigation service. To protect systems against cryptocurrency-mining malware, run reputable and up-to-date antivirus software to detect infections and monitor system CPU usage for spikes in activity.
Reporting and Technical Details:
- February 2018: DarkSky Botnet (Radware)
Image Source: Radware