BITSLOTH (Backdoor) – Malware

Overview

BITSLOTH is a sophisticated and newly discovered Windows backdoor that leverages the Background Intelligent Transfer Service (BITS) for its command-and-control (C2) communication, presenting a unique threat landscape. Initially uncovered during an intrusion into a South American government organization, BITSLOTH has demonstrated its ability to evade detection by using a built-in Microsoft service that many organizations fail to properly monitor. Designed with a client-server architecture, BITSLOTH is capable of a variety of malicious actions, including data exfiltration, system discovery, and remote command execution. It employs a hardcoded mutex to ensure only a single instance of the malware runs at any given time, further enhancing its stealth and persistence.

Unlike traditional malware, BITSLOTH abuses the legitimate BITS service, which is typically used for software updates and file transfers, making its activity blend in with typical network traffic. This tactic makes it difficult for conventional security tools to detect its operations, as BITS traffic is often trusted due to its association with system updates. The malware’s use of BITS allows it to bypass traditional defenses and evade detection, while its internal architecture and ability to mask itself behind benign-looking network traffic make it particularly dangerous. Once installed on a victim’s machine, BITSLOTH uses multiple command handlers to carry out its malicious functions, including keylogging, screen capturing, file uploads/downloads, and process enumeration.

Targets

Information

How they operate

At its core, BITSLOTH leverages BITS, a Windows service designed to transfer large files in the background using minimal network bandwidth. BITS is typically used for Windows updates and other system-level tasks, making it a trusted service on many systems. This trust provides BITSLOTH with a significant advantage, as its communication with the command-and-control (C2) server is able to blend in with normal traffic, evading detection by network monitoring tools. By operating under the radar of traditional security mechanisms, BITSLOTH can persist within an environment without raising immediate red flags.

Once BITSLOTH has been installed on a target machine, it establishes a connection to its C2 server using HTTP or HTTPS protocols. The malware then uses BITS to download additional payloads from the C2 server. These payloads are often executable files or scripts that further the attacker’s objectives, such as additional malware installations or the exfiltration of sensitive data. One of the key features of this malware is its ability to conduct these file transfers without triggering alerts, as BITS is designed to handle file transfers silently in the background, which is why it is frequently overlooked by traditional security tools.

The malware also employs persistence techniques to ensure it can maintain access to the infected system over extended periods. By utilizing BITS for its communications and file transfers, BITSLOTH can evade detection by conventional antivirus software. The malware may manipulate BITS settings or take advantage of misconfigurations in the service to ensure that it automatically starts whenever the system reboots. This persistence allows it to maintain a foothold in the infected machine, even if attempts are made to remove it through conventional means.

In terms of exfiltration, BITSLOTH can quietly send sensitive information back to the attacker’s C2 server. It often targets data that is valuable to the attacker, such as login credentials, financial information, or intellectual property. The use of BITS for data exfiltration is particularly effective, as it allows the malware to send data in small, inconspicuous packets over legitimate web protocols, minimizing the chance of detection by firewalls or intrusion detection systems. Additionally, because BITS is integrated into the Windows operating system, its activity is less likely to be scrutinized compared to more overt forms of data exfiltration, such as large outbound transfers.

Another key aspect of BITSLOTH’s operation is its ability to escalate privileges once inside a target system. If the malware is initially deployed with limited user privileges, it may attempt to exploit vulnerabilities within the system to gain administrative rights. By doing so, BITSLOTH can gain full control over the compromised system, enabling the attacker to run arbitrary commands, install additional malware, or further compromise the network. This privilege escalation is a crucial component of the malware’s persistence, as it ensures that the attacker retains full access to the system regardless of any attempts to mitigate the infection.

BITSLOTH’s stealth and its reliance on legitimate system processes make it a highly effective tool for cybercriminals looking to maintain long-term access to targeted systems. Its ability to blend in with normal system activity makes detection and removal more difficult, and its flexible capabilities—ranging from remote control to data exfiltration—make it a versatile and dangerous threat. Organizations that rely on traditional security measures must adapt to address this evolving threat, including monitoring and auditing legitimate system services like BITS, implementing network anomaly detection, and enforcing least-privilege access policies to reduce the risk of privilege escalation. As cybercriminals continue to innovate and evolve their tactics, BITSLOTH serves as a reminder of the importance of leveraging multiple layers of defense to protect against increasingly sophisticated threats.

MITRE Tactics and Techniques

Initial Access (T1071.001 – Application Layer Protocol: Web Protocols)

BITSLOTH uses the Background Intelligent Transfer Service (BITS), which often operates over HTTP/HTTPS protocols, to establish a connection between the infected machine and the command-and-control (C2) server. The use of standard web protocols helps the malware blend in with normal network traffic and evade detection by security tools.

Execution (T1105 – Remote File Copy)

Once the malware has gained access to the system, it can execute its payload by copying additional files from the C2 server to the compromised system. This execution is carried out silently, leveraging BITS to download files without triggering typical security alerts related to file transfers.

Persistence (T1071.001 – Application Layer Protocol: Web Protocols)

BITSLOTH uses BITS for its persistent communication, ensuring it can maintain a connection with the C2 server. This persistence tactic allows BITSLOTH to operate in the background, often remaining undetected for long periods as it uses a trusted system process that is not commonly scrutinized by defenders.

Privilege Escalation (T1068 – Exploitation for Privilege Escalation)

BITSLOTH may attempt to escalate privileges by exploiting system vulnerabilities or misconfigurations, allowing it to execute its payload with elevated privileges. This is a common tactic in backdoor malware that needs administrative rights to carry out its full range of activities.

Defense Evasion (T1070.004 – File Deletion: Indicator Removal on Host)

The malware attempts to evade detection by utilizing system processes like BITS, which are typically trusted and not monitored closely by most security tools. Additionally, BITSLOTH may attempt to delete or hide files to avoid leaving traces of its presence on the system.

Command and Control (T1071.001 – Application Layer Protocol: Web Protocols)

The malware uses BITS to communicate with the C2 server over common web protocols like HTTP/HTTPS. This allows it to bypass network filtering and avoid detection from traditional security measures by blending its C2 traffic with normal, benign traffic.

Exfiltration (T1041 – Exfiltration Over Command and Control Channel)

BITSLOTH can exfiltrate sensitive data back to the C2 server. It does so by using the established BITS connection, making the data transfer seem like legitimate system activity, which helps it avoid detection during the exfiltration process.

Impact (T1499 – Endpoint Denial of Service)

In some cases, BITSLOTH may impact the targeted system by creating system instability or consuming resources. While its primary purpose is typically data exfiltration and remote control, these actions could result in performance degradation or denial of service as side effects.

Reference: 

• BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor