Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

BITSLOTH (Backdoor) – Malware

February 10, 2025
Reading Time: 5 mins read
in Malware
BITSLOTH (Backdoor) – Malware

BITSLOTH

Type of Malware

Backdoor

Country of Origin

China

Targeted Countries

Brazil
Argentina
Mexico

Date of initial activity

2024

Associated Groups

REF8747

Motivation

Espionage
Data Theft

Type of Information Stolen

System Information

Attack Vectors

Software Vulnerabilities

Targeted Systems

Windows

Overview

BITSLOTH is a sophisticated and newly discovered Windows backdoor that leverages the Background Intelligent Transfer Service (BITS) for its command-and-control (C2) communication, presenting a unique threat landscape. Initially uncovered during an intrusion into a South American government organization, BITSLOTH has demonstrated its ability to evade detection by using a built-in Microsoft service that many organizations fail to properly monitor. Designed with a client-server architecture, BITSLOTH is capable of a variety of malicious actions, including data exfiltration, system discovery, and remote command execution. It employs a hardcoded mutex to ensure only a single instance of the malware runs at any given time, further enhancing its stealth and persistence. Unlike traditional malware, BITSLOTH abuses the legitimate BITS service, which is typically used for software updates and file transfers, making its activity blend in with typical network traffic. This tactic makes it difficult for conventional security tools to detect its operations, as BITS traffic is often trusted due to its association with system updates. The malware’s use of BITS allows it to bypass traditional defenses and evade detection, while its internal architecture and ability to mask itself behind benign-looking network traffic make it particularly dangerous. Once installed on a victim’s machine, BITSLOTH uses multiple command handlers to carry out its malicious functions, including keylogging, screen capturing, file uploads/downloads, and process enumeration.

Targets

Information

How they operate

At its core, BITSLOTH leverages BITS, a Windows service designed to transfer large files in the background using minimal network bandwidth. BITS is typically used for Windows updates and other system-level tasks, making it a trusted service on many systems. This trust provides BITSLOTH with a significant advantage, as its communication with the command-and-control (C2) server is able to blend in with normal traffic, evading detection by network monitoring tools. By operating under the radar of traditional security mechanisms, BITSLOTH can persist within an environment without raising immediate red flags. Once BITSLOTH has been installed on a target machine, it establishes a connection to its C2 server using HTTP or HTTPS protocols. The malware then uses BITS to download additional payloads from the C2 server. These payloads are often executable files or scripts that further the attacker’s objectives, such as additional malware installations or the exfiltration of sensitive data. One of the key features of this malware is its ability to conduct these file transfers without triggering alerts, as BITS is designed to handle file transfers silently in the background, which is why it is frequently overlooked by traditional security tools. The malware also employs persistence techniques to ensure it can maintain access to the infected system over extended periods. By utilizing BITS for its communications and file transfers, BITSLOTH can evade detection by conventional antivirus software. The malware may manipulate BITS settings or take advantage of misconfigurations in the service to ensure that it automatically starts whenever the system reboots. This persistence allows it to maintain a foothold in the infected machine, even if attempts are made to remove it through conventional means. In terms of exfiltration, BITSLOTH can quietly send sensitive information back to the attacker’s C2 server. It often targets data that is valuable to the attacker, such as login credentials, financial information, or intellectual property. The use of BITS for data exfiltration is particularly effective, as it allows the malware to send data in small, inconspicuous packets over legitimate web protocols, minimizing the chance of detection by firewalls or intrusion detection systems. Additionally, because BITS is integrated into the Windows operating system, its activity is less likely to be scrutinized compared to more overt forms of data exfiltration, such as large outbound transfers. Another key aspect of BITSLOTH’s operation is its ability to escalate privileges once inside a target system. If the malware is initially deployed with limited user privileges, it may attempt to exploit vulnerabilities within the system to gain administrative rights. By doing so, BITSLOTH can gain full control over the compromised system, enabling the attacker to run arbitrary commands, install additional malware, or further compromise the network. This privilege escalation is a crucial component of the malware’s persistence, as it ensures that the attacker retains full access to the system regardless of any attempts to mitigate the infection. BITSLOTH’s stealth and its reliance on legitimate system processes make it a highly effective tool for cybercriminals looking to maintain long-term access to targeted systems. Its ability to blend in with normal system activity makes detection and removal more difficult, and its flexible capabilities—ranging from remote control to data exfiltration—make it a versatile and dangerous threat. Organizations that rely on traditional security measures must adapt to address this evolving threat, including monitoring and auditing legitimate system services like BITS, implementing network anomaly detection, and enforcing least-privilege access policies to reduce the risk of privilege escalation. As cybercriminals continue to innovate and evolve their tactics, BITSLOTH serves as a reminder of the importance of leveraging multiple layers of defense to protect against increasingly sophisticated threats.

MITRE Tactics and Techniques

Initial Access (T1071.001 – Application Layer Protocol: Web Protocols)
BITSLOTH uses the Background Intelligent Transfer Service (BITS), which often operates over HTTP/HTTPS protocols, to establish a connection between the infected machine and the command-and-control (C2) server. The use of standard web protocols helps the malware blend in with normal network traffic and evade detection by security tools.
Execution (T1105 – Remote File Copy)
Once the malware has gained access to the system, it can execute its payload by copying additional files from the C2 server to the compromised system. This execution is carried out silently, leveraging BITS to download files without triggering typical security alerts related to file transfers.
Persistence (T1071.001 – Application Layer Protocol: Web Protocols)
BITSLOTH uses BITS for its persistent communication, ensuring it can maintain a connection with the C2 server. This persistence tactic allows BITSLOTH to operate in the background, often remaining undetected for long periods as it uses a trusted system process that is not commonly scrutinized by defenders.
Privilege Escalation (T1068 – Exploitation for Privilege Escalation)
BITSLOTH may attempt to escalate privileges by exploiting system vulnerabilities or misconfigurations, allowing it to execute its payload with elevated privileges. This is a common tactic in backdoor malware that needs administrative rights to carry out its full range of activities.
Defense Evasion (T1070.004 – File Deletion: Indicator Removal on Host)
The malware attempts to evade detection by utilizing system processes like BITS, which are typically trusted and not monitored closely by most security tools. Additionally, BITSLOTH may attempt to delete or hide files to avoid leaving traces of its presence on the system.
Command and Control (T1071.001 – Application Layer Protocol: Web Protocols)
The malware uses BITS to communicate with the C2 server over common web protocols like HTTP/HTTPS. This allows it to bypass network filtering and avoid detection from traditional security measures by blending its C2 traffic with normal, benign traffic.
Exfiltration (T1041 – Exfiltration Over Command and Control Channel)
BITSLOTH can exfiltrate sensitive data back to the C2 server. It does so by using the established BITS connection, making the data transfer seem like legitimate system activity, which helps it avoid detection during the exfiltration process.
Impact (T1499 – Endpoint Denial of Service)
In some cases, BITSLOTH may impact the targeted system by creating system instability or consuming resources. While its primary purpose is typically data exfiltration and remote control, these actions could result in performance degradation or denial of service as side effects.  
Reference: 
  • BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Tags: ArgentinaBackdoorsBITSLOTHBrazilChinaGovernmentMalwareMexicoMicrosoftREF8747South AmericaWindows
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial