Cybersecurity researchers have found a new type of Windows backdoor that uses a built-in feature called Background Intelligent Transfer Service (BITS) as a way for attackers to control the malware remotely. The backdoor, which has been named BITSLOTH, was discovered in connection with a cyber attack on a South American government’s Foreign Ministry.
The current version of BITSLOTH has 35 functions that allow it to capture screenshots and log keystrokes, as well as perform other tasks such as discovering devices on a network and executing commands. The malware also includes features for encrypting data using an open-source tool called RingQ and preventing detection by security software.
It is believed that the developers of BITSLOTH are Chinese speakers based on analysis of the malware’s code. Additionally, the use of RingQ to encrypt the malware and the presence of logging functions and strings suggest a connection to China.
Another link to China comes from the use of an open-source tool called STOWAWAY to proxy encrypted C2 traffic over HTTP and a port forwarding utility called iox, which has been previously used by a Chinese cyber espionage group.
BITSLOTH takes the form of a DLL file that is loaded by using a legitimate executable associated with Image-Line known as FL Studio. The malware can run commands, upload and download files, perform enumeration and discovery, and harvest sensitive data through keylogging and screen capturing.
It also has features such as setting communication mode to either HTTP or HTTPS, removing or reconfiguring persistence, terminating arbitrary processes, logging users off from the machine, restarting or shutting down the system, updating or deleting itself from the host. A defining aspect of the malware is its use of BITS for C2, which makes it appealing to attackers because many organizations struggle to monitor BITS network traffic and detect unusual BITS jobs.
Source: https://thehackernews.com/2024/08/new-windows-backdoor-bitsloth-exploits.html