New BITSLOTH backdoor uncovered, leverages BITS for C2 comms
Elastic Security Labs has identified a novel Windows backdoor referred to as "BITSLOTH." This malware leverages the Background Intelligent Transfer Service (BITS) for its command-and-control (C2) communications. The malware was discovered earlier this summer during an intrusion into the Foreign Ministry of a South American government, as part of activity tracked under REF8747.
BITSLOTH is described as a Windows backdoor that had not been publicly documented until now and seems to have been under development for several years. The latest version of the backdoor offers 35 handler functions, including capabilities such as keylogging and screen capture. It also includes several features for discovery, enumeration, and execution commands, aimed at gathering data from infected systems.
The capabilities of BITSLOTH are extensive. "BITSLOTH uses a built-in Microsoft feature, Background Intelligent Transfer Service (BITS) for command-and-control communication," the researchers explained. The malware contains numerous command handlers used for discovery, enumeration, execution, and collection purposes. It also has logging functions and strings which indicate that the developers are likely native Chinese speakers.
The malware was discovered during a specific intrusion on June 25. The attack was traced back to PSEXEC execution on one of the infected endpoints, and the adversaries used publicly available tools such as RINGQ, IOX, STOWAWAY, GODPOTATO, NOPAC, MIMIKATZ, PPLFAULT, and CERTIFY, with the exception of BITSLOTH. RINGQ was notably used to load IOX, a port forwarder, and STOWAWAY was used to proxy encrypted traffic to their C2 servers.
Following initial access, the attackers deployed BITSLOTH in the form of a DLL named "flengine.dll" inside the ProgramData directory. Subsequently, the music-making program FL Studio (fl.exe) was executed to facilitate the malware's operation. The side-loading technique involving a signed version of FL Studio was used to avoid detection.
The analysis shows that BITSLOTH has been in development since at least December 2021, with older samples demonstrating a record of development over several years. The terminology within the malware refers to clients as "Slaver" components and the C2 server as the "Master" component. Interestingly, the malware employs no significant obfuscation techniques around control flow or string encryption, making its analysis more straightforward.
BITSLOTH uses a hard-coded mutex to ensure only one instance is running at any moment. Additionally, it adopts a traditional client/server architecture, embedding the IP and port of the C2 server in its configuration. The identified IP addresses associated with BITSLOTH include 216.238.121[.]132 and 45.116.13[.]178.
An interesting aspect of BITSLOTH is its use of BITS for C2 communications. The BITS API allows the creation, enumeration, and management of file transfer jobs, which BITSLOTH abuses to fly under the radar. The researchers noted that many organisations struggle to monitor BITS traffic, making it an attractive target for adversaries.
"Many organisations lack visibility into BITS network traffic making this an appealing target," the researchers stated. BITSLOTH masquerades its activities as legitimate BITS jobs, cancelling existing jobs with names like "WU Client Download" and "WU Client Upload" to operate from a clean slate.
Upon BITSLOTH activation, it configures the auto-start functionality by creating new BITS download jobs with seemingly benign names, using them to execute the malware as per changes in transfer states. Evidence shows this technique has allowed BITSLOTH to remain undetected and active for several years.
The detection rules and behaviour prevention events associated with BITSLOTH include persistence via BITS job notification command lines, accessing Local Security Authority Subsystem Service (LSASS), shellcode injection, and suspicious parent-child processes. Researchers have created YARA rules to aid in the detection of BITSLOTH, with specific indicators such as hashes and C2 IP addresses identified.
The discovery of BITSLOTH underlines the sophisticated methods threat actors employ to evade detection. The research team has highlighted the importance of monitoring BITS traffic to detect such covert activities. Elastic Security Labs continues to track and analyse BITSLOTH, contributing to the ongoing efforts to improve cybersecurity across organisations.