[BreachExchange] Newly discovered cyber-espionage malware abuses Windows BITS service

Destry Winant destry at riskbasedsecurity.com
Wed Sep 11 10:25:21 EDT 2019


Security researchers have found another instance of a malware strain
abusing the Windows Background Intelligent Transfer Service (BITS).

The malware appears to be the work of a state-sponsored
cyber-espionage group that researchers have been tracking for years
under the name of Stealth Falcon.

The first and only report on this hacking group has been published in
2016 by Citizen Lab, a non-profit organization focusing on security
and human rights.

According to the Citizen Lab report, the Stealth Falcon group has been
in operation since 2012 and was seen targeting United Arab Emirates
(UAE) dissidents. Previous tools included a very stealthy backdoor
written in PowerShell.


But in a report published today, security researchers from Slovak
cyber-security firm ESET said they found a new tool, even stealthier
than the first.

Its stealth features come from the fact that the malware uses the
Windows BITS system to contact and talk to its command-and-control
(C&C) server.

Windows BITS is the default system through which Microsoft sends
Windows updates to users all over the world.

The BITS service works by detecting when the user is not using their
network connection and using the downtime to download Windows updates.
Other apps can also tap into the BITS system to download their own
updates. For example, Mozilla is currently working on porting the
Firefox update system to Windows BITS.

ESET named the strain they found Win32/StealthFalcon. They said this
malware works as a basic backdoor that allows Stealth Falcon operators
to download and run additional code on infected hosts, or to
exfiltrate data to remote servers.

The research team said the Win32/StealthFalcon backdoor didn't
communicate with its remote server via classic HTTP or HTTPS requests
but hid C&C traffic inside BITS. Researchers believe this was done to
bypass firewalls, as companies tend to ignore BITS traffic, knowing it
most likely contains software updates, rather than anything malicious.


ESET researchers said connecting this new backdoor to the rest of the
Stealth Falcon group's activity was rather trivial.

For starters, the Win32/StealthFalcon backdoor -- which appears to
have first been created back in 2015 -- used the same C&C server
domains as the Powershell backdoor detailed in the 2016 Citizen Lab

"Both backdoors display significant similarities in code - although
they are written in different languages, the underlying logic is
preserved. Both use hardcoded identifiers (most probably campaign
ID/target ID)," the ESET research team added.

"In both cases, all network communication from the compromised host is
prefixed with these identifiers and encrypted with RC4 using a
hardcoded key."


ESET did not reveal the circumstances in which they discovered the new
Win32/StealthFalcon backdoor or the targets against who the backdoor
was deployed.

However, ESET highlighted some recent discoveries in regards to the
identity of the Stealth Falcon operators.

In their report, ESET researchers cited Amnesty International Senior
Technologist Claudio Guarnieri, who claimed that the Stealth Falcon
hacker group appears to be a private cyber-security contractor named
DarkMater, detailed in a January 2019 Reuters report.

The Reuters article described Project Raven, an initiative allegedly
employing former NSA operatives who were helping the UAE government
track and hack dissidents -- aiming at the same types of targets as
Stealth Falcon.

DarkMatter, the company at the center of the Reuters report, denied
all accusations.


Stealth Falcon is not the first cyber-espionage group that has been
observed abusing the BITS system to operate.

Other cases include two Chinese state-sponsored hacker grops known as
TEMP.Periscope and Tropic Trooper (KeyBoy).

Non-espionage malware strains have also been seen abusing BITS over
the past years. Miscreants include the Zlob.Q trojan, the UBoat remote
access trojan, and the Rustock backdoor and Linkoptimizer trojan.

Although antivirus detection of BITS abuse has improved in recent
years, malware operators will most likely see the benefits of abusing
BITS for future operations. Its primary feature is BITS' ability to
pause any malicious traffic if the user is using a workstation,
operating only in downtime periods. This reduces the chance of human
operator detection, altough the malware can still be detected by
proper security solutions when it modifies local registries and other
BITS settings or scheduled tasks.

More information about the BreachExchange mailing list