Cybersecurity experts have uncovered a new, previously unrecorded Windows backdoor, identified as BITSLOTH, which exploits a built-in feature of Windows known as Background Intelligent Transfer Service (BITS) for its command-and-control (C2) operations. Discovered by Elastic Security Labs on June 25, 2024, the malware is linked to a cyber assault on a yet-to-be-specified Foreign Ministry of a South American nation. The attack’s activity is cataloged under the code REF8747.
Researchers Seth Goodwin and Daniel Stepanic reported that the latest version of BITSLOTH includes 35 different handler functions that enable actions like keylogging and screen capturing. Furthermore, this malware offers extensive capabilities for system discovery, enumeration, and command-line operations, allowing the attackers a deep level of control over compromised systems.
The development timeline of BITSLOTH indicates that the threat has been in progress since December 2021, and its primary purpose appears to be data collection. While the identity of the attackers remains unclear, analysis of the source code has revealed logging functions that imply the authors could possibly be native Chinese speakers.
The connection to Chinese threat actors is further supported by the utilization of an open-source encryption tool known as RingQ. This tool aids in obfuscating the malware to evade detection from security systems. It is believed that the malware is delivered to vulnerable web servers and utilizes web shells to deploy additional payloads, including clandestine cryptocurrency miners.
This particular attack stands out for its integration of STOWAWAY for proxying encrypted C2 traffic over HTTP, along with a port forwarding utility named iox, which has prior associations with a Chinese espionage group known as Bronze Starlight. Such collaborations hint at a sophisticated orchestration of malicious activities.
BITSLOTH operates in the form of a dynamic link library (DLL), specifically “flengine.dll.” The malware is introduced through DLL side-loading techniques, using a legitimate executable associated with Image-Line’s FL Studio. Recent updates to BITSLOTH have incorporated a scheduling component, allowing it to function at specific times within a compromised environment—a characteristic parallel to certain contemporary malware families like EAGERBEE.
As a fully capable backdoor, BITSLOTH can execute commands, manage file transfers, perform system discovery, and acquire sensitive information using keylogging and screen capture techniques. It also possesses the ability to communicate via both HTTP and HTTPS protocols, alter its persistence methods, and execute commands that can terminate processes or restart the host system.
The utilization of BITS for its C2 communications provides a strategic advantage for adversaries, considering that many organizations remain ill-equipped to monitor BITS-related network traffic and detect abnormal BITS jobs. This aspect emphasizes the importance of organizations enhancing their cybersecurity measures and monitoring capabilities to guard against such sophisticated threats.
In conclusion, the emergence of BITSLOTH signifies a concerning evolution in the landscape of cyber threats, particularly for entities in sectors reliant on governmental and sensitive data exchanges. Business owners would do well to remain vigilant and informed about these evolving tactics as they navigate the complexities of modern cybersecurity threats.
