Cybersecurity researchers have discovered a previously undocumented Windows backdoor that leverages a built-in feature called Background Intelligent Transfer Service (BITS) as a command-and-control (C2) mechanism.
The newly identified malware is codenamed BitSlot Elastic Security Labs made this discovery on June 25, 2024 in connection with a cyberattack targeting an unidentified Ministry of Foreign Affairs of a South American government. This cluster of activity is tracked under the designation REF8747.
“At the time of writing, the latest version of the backdoor contains 35 handler functions, including keylogging and screen capture functionality,” security researchers Seth Goodwin and Daniel Stepanic said. “In addition, BITSLOTH contains a variety of capabilities for discovery, enumeration, and command line execution.”
The tool, which has been under development since December 2021, is believed to be used by threat actors for data collection purposes. It is not clear at this time who is behind it, but analysis of the source code has uncovered logging functions and strings that suggest the creator may be a Chinese speaker.
Another potential link to China is the use of an open source tool called RingQ, which is used to encrypt malware to prevent detection by security software, after which the malware is decrypted and executed directly in memory.
In June 2024, the AhnLab Security Intelligence Center (ASEC) revealed that vulnerable web servers were being exploited to drop web shells that were then used to deliver additional payloads, such as cryptocurrency miners via RingQ. The attack was attributed to a Chinese-speaking threat actor.
This attack is also notable for its use of STOWAWAY, which proxies encrypted C2 traffic over HTTP, and a port forwarding utility called iox, which has previously been used by a Chinese cyberespionage group called Bronze Starlight (aka Emperor Dragonfly) in their Cheerscrypt ransomware attacks.
BITSLOTH, which takes the form of a DLL file (“flengine.dll”), is loaded via a DLL side-loading technique using a legitimate executable file associated with Image-Line, namely FL Studio (“fl.exe”).
“In the latest version, the developers added a new scheduling component, allowing them to control the specific times that BITSLOTH operates in the victim’s environment,” the researchers said, “a feature that has been observed in other modern malware families such as EAGERBEE.”
BITSLOTH is a full-featured backdoor that can execute commands, upload and download files, perform enumeration and discovery, and collect sensitive data through keylogging and screen capture.
It can also set the communication mode to HTTP or HTTPS, remove or reconfigure persistence, terminate any process, log the user off the machine, reboot or shut down the system, and even update or remove itself from the host. A notable feature of this malware is the use of BITS for C2.
“This medium is attractive to adversaries as many organizations still struggle to monitor BITS network traffic and detect anomalous BITS jobs,” the researchers added.
