Windows Backdoor: Threat Actors Exploit BITS As C2 Mechanism
As per recent reports, cybersecurity researchers at Elastic Security Labs have discovered a new Windows backdoor. It leverages a built-in feature called the Background Intelligent Transfer Service (BITS), using it as a command-and-control (C2) mechanism. In this article, we’ll dive into the details of the Windows backdoor and learn about the threats it entails. Let’s begin!
The BITS Windows Backdoor Initial Discovery
According to the information available, the Windows backdoor was identified on June 25th, 2024, by security researchers at Elastic Labs. It’s worth mentioning here that this discovery came in connection with an attack that targeted a Foreign Minister of South America that remains unspecified.
Currently, the activity cluster is being tracked as the moniker REF8747. Providing details pertaining to the BITSLOTH malware Windows backdoor, researchers Seth Goodwin and Daniel Stepanic have stated that:
“The most current iteration of the backdoor at the time of this publication has 35 handler functions including keylogging and screen capture capabilities. In addition, BITSLOTH contains many different features for discovery, enumeration, and command-line execution.”
Understanding The BITSLOTH Malware
BITSLOTH, the tool being used by the threat actors for gathering data, has been underdevelopment since 2021. While the identity of those behind the Windows backdoor BITSLOTH malware remains unknown, certain logging functions and strings hint at the possibility of the authors being Chinese speakers.
This link is further strengthened by the prevalent use of another tool named RingQ. Chinese cyber espionage threat actors primarily use RingQ for encrypting the malware so that it remains undetected and can be decrypted and executed directly in the memory. As for the BITSLOTH malware, it takes form in a DLL file named “flengine.dl”
BITSLOTH Malware Attack Chain And Capabilities
To initiate the attack, the DLL file is loaded using a side-loading technique paired with an executable. The executable is associated with an Image-Line known as FL Studio (fl.exe). Apart from this, threat actors have added a new scheduling component to the BITSLOTH malware.
This component gives them the ability to control when the malware should operate in a targeted environment, and the feature has been observed with other malware such as EAGERBEE.
As far as the capabilities of the Windows backdoor BITSLOTH malware are concerned, it can perform a variety of malicious intent-backed actions that include:
- Acquiring sensitive data.
- Reconfiguring persistence.
- Terminating arbitrary processes.
- Uploading and downloading files.
- Running and executing commands.
- Logging keys and capturing screens.
- Restarting or shutting down the device.
- Conducting enumeration and discovery.
- Logging out targeted victims from their devices.
- Changing communication modes to HTTP or HTTPS.
- Updating or deleting itself from the compromised systems.
Those keen on ensuring protection against cyber threats must understand that using the Windows backdoor BITS for exploits is feasible for threat actors, given that the BITS network traffic is hard to monitor. It’s worth mentioning that such insights should be kept in mind as organizations develop a cybersecurity strategy.
Conclusion
The discovery of the BITSLOTH malware emphasizes the capabilities of cybercriminals exploiting BITS as a C2 mechanism. Organizations must enhance cybersecurity measures, monitor network traffic diligently, and stay informed to defend against such sophisticated threats.
The sources for this piece include articles in The Hacker News and Elastic Security Labs.