New BITSLOTH backdoor discovered; abuses the Windows BITS service

Sicherheit (Pexels, allgemeine Nutzung)[German]Another nice story that I came across last week. What I had suspected for some time has been confirmed. The Background Intelligent Transfer Service (BITS) can be abused. A newly discovered Windows backdoor BITSLOTH uses BITS to communicate with command and control servers. An intrusion into a South American government via this backdoor has now been observed. The BITSLOTH malware contains keylogging and screen capture functions.

What is BITS?

The acronym BITS stands for Background Intelligent Transfer Service; a new component and service in Windows 10, 11. BITS can be used by Windows to download updates to a local system. The updates can then be distributed to other machines via a network. The service uses unused network resources to pull data from servers via the http protocol. Access to unused network resources should not adversely affect other network activities.

The service is used, for example, by Windows Update, Microsoft Update, Windows Server Update Services and Systems Management Server to distribute software updates. It is also used in the Microsoft Security Essentials antivirus program to load signature files, for example. BITS can be addressed via a COM interface, which enables access via many programming languages.

The BITSLOTH backdoor

Elastic Security Labs recently discovered a new Windows backdoor that uses the Background Intelligent Transfer Service (BITS) to communicate with its own Command & Control servers (C2). The new malware was found when analyzing a cyberattack by the group REF8747. The following tweet picks up on this information and refers to the Elastic Security Labs article BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor.

BITSLOTH-Backdoor

An Elastic Security Lab security team observed backdoor activity on June 25, 2024 while analyzing a hacked system of a South American government's foreign ministry. The hack is attributed to the cyber group REF8747, and a server environment was found to have BITSLOTH malware installed.

Upon analysis, it was found that the initial infection must have occurred by executing PSEXEC on one of the infected endpoints. The attackers used a number of publicly available tools for most of their operations, but had also installed the BITSLOTH malware as a backdoor, which in turn used the Windows BITS service for communication.

During the analysis, the security researchers found several older BITSLOTH samples that prove development since December 2021. The developers of the backdoor referred to BITSLOTH as a "slaver" and their own command and control server as the master. BITSLOTH is a backdoor that, according to analysis:

  • can execute commands itself or have them executed by other components
  • enables files to be uploaded and downloaded
  • supports the execution of enumerations and detection
  • can be used to collect sensitive data through keylogging and screen capturing.

In their article, the security researchers describe the findings from the analysis of the malware and note, for example, that a mutex (mutual exclusion lock) ensures that only one instance is running. The article also provides information on the detection of an infection and YARA rules for detection.

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *