BITSLOTH: The Latest Threat to Windows Users
A new backdoor threat targeting Windows users has recently been uncovered, known as BITSLOTH. This sophisticated malware utilizes the Background Intelligent Transfer Service (BITS) for its command-and-control functions, posing a significant risk to unsuspecting victims.
Initially detected during a security incident involving the Foreign Ministry of a South American government in the LATAM region, BITSLOTH has been under development for several years. This silent threat operates through 35 handler functions, enabling malicious activities such as keylogging, screen capturing, data discovery, enumeration, and command-line execution, all designed to exfiltrate sensitive information from targeted systems.
Researchers from Elastic Labs first encountered BITSLOTH on June 25 during an incident response engagement. The attackers behind the intrusion utilized various publicly available tools, with BITSLOTH being the only custom-built component of the attack. This malware leverages a tool called ‘RINGQ’ for sideloading shellcode, enabling it to evade hash-based blocklists and static signature defenses commonly used by anti-malware programs.
Notably, BITSLOTH has been in active development since at least December 2021, with the developer referring to the client-side component as the ‘Slaver’ and the command-and-control (C2) server as the ‘Master.’ One of the key features of BITSLOTH is its utilization of BITS for C2 communication, as BITS traffic is often overlooked by security solutions due to its association with routine system updates.
To ensure persistence on infected systems, BITSLOTH manipulates existing BITS jobs on victim machines, initiating a new download job under the guise of a legitimate Windows update. By establishing communication with the C2 server through BITS, the malware receives instructions and carries out various malicious activities, all while evading detection through obfuscated command execution.
The backdoor boasts 35 command handler functions, granting attackers a wide range of capabilities, including file manipulation, data exfiltration, and surveillance through keylogging and screen capturing. The commands received from the C2 server are encrypted using a single-byte XOR method before execution, further complicating detection and analysis efforts.
Persistence is achieved through a BITS scheduled job named ‘Microsoft Windows,’ which points to a seemingly legitimate domain. This unique characteristic allowed researchers to identify additional samples of the malware, indicating its presence in the wild for an extended period. BITSLOTH has been engineered with multiple persistence mechanisms to ensure it remains active on compromised systems.
Given the stealthy nature and extensive capabilities of BITSLOTH, organizations and entities are advised to be vigilant and monitor for potential intrusions. Researchers have shared indicators of compromise to aid in the detection of BITSLOTH activity and the deployment of its backdoor, helping to mitigate the risks posed by this advanced malware threat.
In conclusion, the emergence of BITSLOTH highlights the evolving landscape of cyber threats targeting Windows users, underscoring the importance of robust cybersecurity measures and proactive threat intelligence to safeguard against sophisticated malware attacks.