Cybersecurity researchers have uncovered a sophisticated new Windows backdoor, named BITSLOTH, that utilizes the Background Intelligent Transfer Service (BITS) for covert command-and-control (C2) operations. Discovered by Elastic Security Labs on June 25, 2024, during an attack targeting a South American Foreign Ministry, BITSLOTH represents a significant advance in malware evasion techniques. The backdoor, tracked under the moniker REF8747, employs BITS—a legitimate Windows service typically used for background file transfers—to facilitate its clandestine communications.
BITSLOTH boasts a range of capabilities including keylogging, screen capture, and command-line execution, with its development dating back to December 2021. The malware’s use of BITS enables it to blend in with regular network traffic, making detection by traditional security measures more challenging. The malware, delivered as a DLL file named “flengine.dll,” is loaded using DLL side-loading techniques with a legitimate executable from Image-Line’s FL Studio, further enhancing its stealth.
The malware’s architecture is notable for its use of an open-source encryption tool called RingQ, which obscures the malware’s code from detection. Additionally, BITSLOTH integrates with STOWAWAY to proxy encrypted C2 traffic over HTTP and employs a port forwarding utility previously linked to the Chinese cyber espionage group Bronze Starlight. These features, along with its capability to run scheduled tasks, perform discovery, and harvest sensitive data, suggest a high level of sophistication and potentially state-sponsored origins.
Researchers have linked BITSLOTH to recent attacks involving vulnerable web servers exploited to drop web shells and deliver additional payloads, including cryptocurrency miners. The use of BITSLOTH reflects the growing trend of leveraging legitimate system features for malicious purposes, underscoring the need for enhanced monitoring and detection strategies to combat advanced cyber threats.
Reference:
