Cyber security news for all

More

    New Windows Backdoor BITSLOTH Utilizes BITS for Covert Communication

    Cybersecurity researchers have uncovered a previously undocumented Windows backdoor, named BITSLOTH, which exploits the Background Intelligent Transfer Service (BITS) for stealthy command-and-control (C2) communication. This malware strain was discovered by Elastic Security Labs on June 25, 2024, during an investigation of a cyber attack targeting an unspecified South American government’s Foreign Ministry. The malicious activity is tracked as REF8747.

    According to security researchers Seth Goodwin and Daniel Stepanic, “The latest version of the backdoor features 35 handler functions, including keylogging and screen capture capabilities. BITSLOTH also has a range of functionalities for system discovery, enumeration, and command-line execution.”

    The tool, believed to have been in development since December 2021, is primarily used for data gathering. Although the identity of the threat actors remains unknown, analysis of the source code revealed logging functions and strings suggesting that the authors may be Chinese speakers.

    Further evidence pointing to China is the use of an open-source tool called RingQ, employed to encrypt the malware and evade security detection, which is then decrypted and executed directly in memory.

    In June 2024, the AhnLab Security Intelligence Center (ASEC) reported that vulnerable web servers are being exploited to deploy web shells, which subsequently deliver additional payloads like a cryptocurrency miner via RingQ. These attacks have been attributed to a Chinese-speaking threat actor.

    This attack is also noteworthy for utilizing STOWAWAY to proxy encrypted C2 traffic over HTTP and a port forwarding utility called iox. The latter has been used by a Chinese cyber espionage group known as Bronze Starlight (also known as Emperor Dragonfly) in Cheerscrypt ransomware attacks.

    BITSLOTH is disguised as a DLL file (“flengine.dll”) and is loaded using DLL side-loading techniques through a legitimate executable associated with Image-Line’s FL Studio (“fl.exe”).

    The researchers noted, “In the latest version, the developer added a new scheduling component to control specific times when BITSLOTH should operate within a victim’s environment. This is a feature observed in other modern malware families like EAGERBEE.”

    As a fully-featured backdoor, BITSLOTH can execute commands, upload and download files, perform system discovery and enumeration, and harvest sensitive data through keylogging and screen capturing. It can also configure its communication mode to HTTP or HTTPS, modify or remove its persistence, terminate arbitrary processes, log off users, restart or shut down the system, and even update or delete itself from the host. A key characteristic of the malware is its utilization of BITS for C2 communication.

    “This method is attractive to adversaries because many organizations still struggle to monitor BITS network traffic and detect unusual BITS jobs,” the researchers concluded.

    Recent Articles

    Related Stories