[BreachExchange] Hackers Exploit Windows BITS Feature To Launch Malware Attack

[Destry Winant]

https://www.ehackingnews.com/2021/04/hackers-exploit-windows-bits-feature-to.html

Microsoft released the BITS (Background Intelligent Transfer Service)
in Windows XP to coordinate and ease uploading and downloading files
with large size. Systems and applications component, specifically
update in Windows, use this BITS feature to provide application
updates and OS so that they can work in minimal user disruption. BITS
interact with applications to make jobs with one or more application
to download or upload. The BITS feature operates in service and it can
make transfers happen at any time. A local database stores file, state
and job info.

How the hackers exploit BITS?

The BITS, like every other technology, is used by applications and
exploited by hackers. When harmful apps make BITS jobs, the files are
uploaded and downloaded in the service host process context. This
helps hackers to avoid firewall detection that may stop suspicious or
unusual activities, allowing the attacker to hide the application that
requests the transfer. Besides this, the transfers in BITS can be
scheduled for later, which allows them to happen at given times,
saving the hacker from depending on task-scheduler or long-running
processes.

Transfers in BITS are asynchronous, resulting in a situation where the
apps that made jobs may not be working after the transfers that are
requested are complete. Addressing this situation, these jobs in BITS
can be made through a notification command that is user-specific. The
command can be used in case of errors or after a job is complete. The
BITS jobs linked with this notification command may authorize any
command or executable to run. The hackers have exploited this feature
and used it as a technique for continuously launching harmful
applications.

For BITS jobs, the command data is stored in a database rather than
the traditional directory register, this helps hackers as the tools
that are used to identify persistent executables or commands by
unknown actors may overlook it. The jobs in BITS can be made using the
BITS-admin command lines tool or via API functions.  Cybersecurity
firm FireEye reports, "the Background Intelligent Transfer Service
continues to provide utility to applications and attackers alike. The
BITS QMGR database can present a useful source of data in an
investigation or hunting operation. BitsParser may be utilized with
other forensic tools to develop a detailed view of attacker activity."