ClickCease Windows Backdoor: Threat Actors Exploit BITS As C2 Mechanism - TuxCare

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Windows Backdoor: Threat Actors Exploit BITS As C2 Mechanism

Wajahat Raja

August 13, 2024 - TuxCare expert team

As per recent reports, cybersecurity researchers at Elastic Security Labs have discovered a new Windows backdoor.  It leverages a built-in feature called the Background Intelligent Transfer Service (BITS), using it as a command-and-control (C2) mechanism. In this article, we’ll dive into the details of the Windows backdoor and learn about the threats it entails. Let’s begin!

The BITS Windows Backdoor Initial Discovery

According to the information available, the Windows backdoor was identified on June 25th, 2024, by security researchers at Elastic Labs. It’s worth mentioning here that this discovery came in connection with an attack that targeted a Foreign Minister of South America that remains unspecified.

Currently, the activity cluster is being tracked as the moniker REF8747. Providing details pertaining to the BITSLOTH malware Windows backdoor, researchers Seth Goodwin and Daniel Stepanic have stated that:

“The most current iteration of the backdoor at the time of this publication has 35 handler functions including keylogging and screen capture capabilities. In addition, BITSLOTH contains many different features for discovery, enumeration, and command-line execution.”

Understanding The BITSLOTH Malware

BITSLOTH, the tool being used by the threat actors for gathering data, has been underdevelopment since 2021. While the identity of those behind the Windows backdoor BITSLOTH malware remains unknown, certain logging functions and strings hint at the possibility of the authors being Chinese speakers.

This link is further strengthened by the prevalent use of another tool named RingQ. Chinese cyber espionage threat actors primarily use RingQ for encrypting the malware so that it remains undetected and can be decrypted and executed directly in the memory. As for the BITSLOTH malware, it takes form in a DLL file named “flengine.dl”

BITSLOTH Malware Attack Chain And Capabilities

To initiate the attack, the DLL file is loaded using a side-loading technique paired with an executable. The executable is associated with an Image-Line known as FL Studio (fl.exe). Apart from this, threat actors have added a new scheduling component to the BITSLOTH malware.

This component gives them the ability to control when the malware should operate in a targeted environment, and the feature has been observed with other malware such as EAGERBEE.

As far as the capabilities of the Windows backdoor BITSLOTH malware are concerned, it can perform a variety of malicious intent-backed actions that include:

  • Acquiring sensitive data.
  • Reconfiguring persistence.
  • Terminating arbitrary processes.
  • Uploading and downloading files.
  • Running and executing commands.
  • Logging keys and capturing screens.
  • Restarting or shutting down the device.
  • Conducting enumeration and discovery.
  • Logging out targeted victims from their devices.
  • Changing communication modes to HTTP or HTTPS.
  • Updating or deleting itself from the compromised systems.

Those keen on ensuring protection against cyber threats must understand that using the Windows backdoor BITS for exploits is feasible for threat actors, given that the BITS network traffic is hard to monitor. It’s worth mentioning that such insights should be kept in mind as organizations develop a cybersecurity strategy.

Conclusion

The discovery of the BITSLOTH malware emphasizes the capabilities of cybercriminals exploiting BITS as a C2 mechanism. Organizations must enhance cybersecurity measures, monitor network traffic diligently, and stay informed to defend against such sophisticated threats.

The sources for this piece include articles in The Hacker News and Elastic Security Labs.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started

Mail

Join

4,500

Linux & Open Source
Professionals!

Subscribe to
our newsletter