Cybersecurity researchers have discovered a previously undocumented Windows backdoor that uses the built-in Background Intelligent Transfer Service (BITS) as a command and control (C2) mechanism.
A recently discovered strain of malware has been given a codename BITZLEN Elastic Security Labs, which made the discovery on June 25, 2024, in connection with a cyber attack targeting an unspecified Ministry of Foreign Affairs of the South American government. The activity cluster is tracked under the alias REF8747.
“The most recent iteration of the backdoor at the time of publication has 35 handler functions, including keyboard and screen capture capabilities,” security researchers Seth Goodwin and Daniel Stepanik said. “In addition, BITSLOTH contains many different functions for opening, listing and executing the command line.”
This tool, which has been in development since December 2021, is believed to be used by threat actors to collect data. It is currently unclear who is behind this, although an analysis of the source code has revealed writing features and strings that suggest the authors may be native Chinese speakers.
Another potential connection to China involves the use of an open source tool called The Q ring. RingQ is used to encrypt malware and prevent detection by security software, which is then decrypted and executed directly in memory.
In June 2024 AhnLab Security and Intelligence Center (ASEC) revealed that vulnerable web servers are used to remove web shells, which are then used to deliver additional payloads, including a cryptocurrency miner via RingQ. The attacks were attributed to a Chinese-speaking threat actor.
The attack also features the use of STOWAWAY to proxy encrypted C2 traffic over HTTP and a port forwarding utility called iox, the latter of which was previously used by a Chinese cyber espionage group called Bronze starlight (aka Emperor Dragonfly) in the Cheerscrypt ransomware attacks.
BITSLOTH, which is in the form of a DLL file (“flengine.dll”), is loaded via DLL sideloading methods using a legitimate Image-Line-related executable known as Studio FL (“fl.exe”).
“In the latest version, the developers added a new scheduling component to control the specific time BITSLOTH should run in the victim’s environment,” the researchers said. “This is a feature we have observed in other modern malware families such as GAMES.”
A full-featured backdoor, BITSLOTH is capable of running and executing commands, uploading and downloading files, performing enumeration and discovery, and collecting sensitive data through keylogging and screen capture.
It can also set the communication mode to HTTP or HTTPS, remove or change the save configuration, terminate arbitrary processes, log users off the machine, restart or shut down the system, and even update or remove itself from the host. A defining aspect of the malware is its use of BITS for C2.
“This medium is attractive to adversaries because many organizations still find it difficult to monitor BITS network traffic and detect unusual BITS tasks,” the researchers added.
