In the binaries, Radware witnessed hard-coded lists of User-Agents and Referers that are randomly chosen when crafting the HTTP request. When the Darksky botnet malware performs a HTTP DDoS attack, it uses the HTTP structure seen below. The server also has a “Check Host Availability” function to check if the DDoS attack succeeded.
Radware suspects the DarkSky botnet spreads via traditional means of infection such as exploit kits, spear phishing and spam emails. However all communication requests were to the same host (“”), a strong indication of “testing” samples. This is suspected to be the result of an increase in sales or testing of the newer version following its launch. On New Year’s Day, 2018, Radware witnessed a spike in different variants of the malware. Its popularity and use is increasing.įigure 1: Differences between DarkSky versions Developers have been enhancing its functionality and released the latest version in December, 2017. Radware has been monitoring the DarkSky botnet malware since its early versions in May, 2017.
