info@thehackernews.com (The Hacker News)
2024-08-02 05:56:00
thehackernews.com
Cybersecurity researchers have discovered a previously undocumented Windows backdoor that leverages a built-in feature called Background Intelligent Transfer Service (BITS) as a command-and-control (C2) mechanism.
The newly identified malware strain has been codenamed BITSLOTH by Elastic Security Labs, which made the discovery on June 25, 2024, in connection with a cyber attack targeting an unspecified Foreign Ministry of a South American government. The activity cluster is being tracked under the moniker REF8747.
“The most current iteration of the backdoor at the time of this publication has 35 handler functions including keylogging and screen capture capabilities,” security researchers Seth Goodwin and Daniel Stepanic said. “In addition, BITSLOTH contains many different features for discovery, enumeration, and command-line execution.”
It’s assessed that the tool – in development since December 2021 – is being used by the threat actors for data gathering purposes. It’s currently not clear who is behind it, although a source code analysis has uncovered logging functions and strings that suggest the authors could be Chinese speakers.
Another potential link to China comes from the use of an open-source tool called RingQ. RingQ is used to encrypt the malware and prevent detection by security software, which is then decrypted and executed directly in memory.
In June 2024, the AhnLab Security Intelligence Center’s (ASEC) revealed that vulnerable web servers are being exploited to drop web shells, which are then leveraged to deliver additional payloads, including a cryptocurrency miner via RingQ. The attacks were attributed to a Chinese-speaking threat actor.
The attack is also notable for the use of STOWAWAY to proxy encrypted C2 traffic over HTTP and a port forwarding utility called iox, the latter of which has been previously leveraged by a Chinese cyber espionage group dubbed Bronze Starlight (aka Emperor Dragonfly) in Cheerscrypt ransomware attacks.
BITSLOTH, which takes the form of a DLL file (“flengine.dll”), is loaded by means of DLL side-loading techniques by using a legitimate executable associated with Image-Line known as FL Studio (“fl.exe”).
“In the latest version, a new scheduling component was added by the developer to control specific times when BITSLOTH should operate in a victim environment,” the researchers said. “This is a feature we have observed in other modern malware families such as EAGERBEE.”
A fully-featured backdoor, BITSLOTH is capable of running and executing commands, uploading and downloading files, performing enumeration and discovery, and harvesting sensitive data through keylogging and screen capturing.
It can also set the communication mode to either HTTP or HTTPS, remove or reconfigure persistence, terminate arbitrary processes, log users off from the machine, restart or shutdown the system, and even update or delete itself from the host. A defining aspect of the malware is its use of BITS for C2.
“This medium is appealing to adversaries because many organizations still struggle to monitor BITS network traffic and detect unusual BITS jobs,” the researchers added.
Support Techcratic
If you find value in our blend of original insights (Techcratic articles and Techs Got To Eat), our up-to-date daily curated articles from top technical news sites, and the extensive technical work required to keep everything running smoothly, consider supporting Techcratic with Bitcoin. Your support helps me, as a solo operator, continue delivering high-quality content while managing all the technical aspects, from server maintenance to future updates and improvements. I am committed to continually enhancing the site and staying at the forefront of trends to provide the best possible experience. Your generosity and commitment are deeply appreciated. Thank you!
Bitcoin Address:
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge
Please verify this address before sending any funds to ensure your donation is directed correctly.
Bitcoin QR Code
Your support is crucial for me to continue delivering valuable content and managing the technical aspects of the Techcratic news site. By scanning the QR code below, you help me keep providing insightful articles and maintaining the essential server infrastructure. Your generosity is greatly appreciated and allows me to sustain and enhance my work.
Privacy and Security Disclaimer
- No Personal Information Collected: We do not collect any personal information or transaction details when you make a donation via Bitcoin. The Bitcoin address provided is used solely for receiving donations.
- Data Privacy: We do not store or process any personal data related to your Bitcoin transactions. All transactions are processed directly through the Bitcoin network, ensuring your privacy.
- Security Measures: We utilize industry-standard security practices to protect our Bitcoin address and ensure that your donations are received securely. However, we encourage you to exercise caution and verify the address before sending funds.
- Contact Us: If you have any concerns or questions about our donation process, please contact us via the Techcratic Contact form. We are here to assist you.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.