Phone : +91 95 8290 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Vulnerabilities & Exploits » New Windows Backdoor BITSLOTH Exploits BITS for Stealthy Communication

New Windows Backdoor BITSLOTH Exploits BITS for Stealthy Communication

New Windows Backdoor BITSLOTH Exploits BITS for Stealthy Communication

https://firewall.firm.in/wp-content/uploads/2024/08/hacking.png

Aug 02, 2024Ravie LakshmananCyber Attack / Windows Security

Cybersecurity researchers have discovered a previously undocumented Windows backdoor that leverages a built-in feature called Background Intelligent Transfer Service (BITS) as a command-and-control (C2) mechanism.

The newly identified malware strain has been codenamed BITSLOTH by Elastic Security Labs, which made the discovery on June 25, 2024, in connection with a cyber attack targeting an unspecified Foreign Ministry of a South American government. The activity cluster is being tracked under the moniker REF8747.

“The most current iteration of the backdoor at the time of this publication has 35 handler functions including keylogging and screen capture capabilities,” security researchers Seth Goodwin and Daniel Stepanic said. “In addition, BITSLOTH contains many different features for discovery, enumeration, and command-line execution.”

Cybersecurity

It’s assessed that the tool – in development since December 2021 – is being used by the threat actors for data gathering purposes. It’s currently not clear who is behind it, although a source code analysis has uncovered logging functions and strings that suggest the authors could be Chinese speakers.

Another potential link to China comes from the use of an open-source tool called RingQ. RingQ is used to encrypt the malware and prevent detection by security software, which is then decrypted and executed directly in memory.

In June 2024, the AhnLab Security Intelligence Center’s (ASEC) revealed that vulnerable web servers are being exploited to drop web shells, which are then leveraged to deliver additional payloads, including a cryptocurrency miner via RingQ. The attacks were attributed to a Chinese-speaking threat actor.

The attack is also notable for the use of STOWAWAY to proxy encrypted C2 traffic over HTTP and a port forwarding utility called iox, the latter of which has been previously leveraged by a Chinese cyber espionage group dubbed Bronze Starlight (aka Emperor Dragonfly) in Cheerscrypt ransomware attacks.

BITSLOTH, which takes the form of a DLL file (“flengine.dll”), is loaded by means of DLL side-loading techniques by using a legitimate executable associated with Image-Line known as FL Studio (“fl.exe”).

“In the latest version, a new scheduling component was added by the developer to control specific times when BITSLOTH should operate in a victim environment,” the researchers said. “This is a feature we have observed in other modern malware families such as EAGERBEE.”

A fully-featured backdoor, BITSLOTH is capable of running and executing commands, uploading and downloading files, performing enumeration and discovery, and harvesting sensitive data through keylogging and screen capturing.

It can also set the communication mode to either HTTP or HTTPS, remove or reconfigure persistence, terminate arbitrary processes, log users off from the machine, restart or shutdown the system, and even update or delete itself from the host. A defining aspect of the malware is its use of BITS for C2.

“This medium is appealing to adversaries because many organizations still struggle to monitor BITS network traffic and detect unusual BITS jobs,” the researchers added.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

 

 

 

 

 

 

 

 

 

 

 

 

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket