Newly discovered cyber-espionage malware abuses Windows BITS service

New backdoor trojan uses Windows BITS service to hide traffic to and from its command-and-control servers.

Windows logo

Security researchers have found another instance of a malware strain abusing the Windows Background Intelligent Transfer Service (BITS).

The malware appears to be the work of a state-sponsored cyber-espionage group that researchers have been tracking for years under the name of Stealth Falcon.

The first and only report on this hacking group has been published in 2016 by Citizen Lab, a non-profit organization focusing on security and human rights.

According to the Citizen Lab report, the Stealth Falcon group has been in operation since 2012 and was seen targeting United Arab Emirates (UAE) dissidents. Previous tools included a very stealthy backdoor written in PowerShell.

New malware uses BITS as C&C communications channel

But in a report published today, security researchers from Slovak cyber-security firm ESET said they found a new tool, even stealthier than the first.

Its stealth features come from the fact that the malware uses the Windows BITS system to contact and talk to its command-and-control (C&C) server.

Windows BITS is the default system through which Microsoft sends Windows updates to users all over the world.

The BITS service works by detecting when the user is not using their network connection and using the downtime to download Windows updates. Other apps can also tap into the BITS system to download their own updates. For example, Mozilla is currently working on porting the Firefox update system to Windows BITS.

ESET named the strain they found Win32/StealthFalcon. They said this malware works as a basic backdoor that allows Stealth Falcon operators to download and run additional code on infected hosts, or to exfiltrate data to remote servers.

The research team said the Win32/StealthFalcon backdoor didn't communicate with its remote server via classic HTTP or HTTPS requests but hid C&C traffic inside BITS. Researchers believe this was done to bypass firewalls, as companies tend to ignore BITS traffic, knowing it most likely contains software updates, rather than anything malicious.

Obvious Stealth Falcon connections

ESET researchers said connecting this new backdoor to the rest of the Stealth Falcon group's activity was rather trivial.

For starters, the Win32/StealthFalcon backdoor -- which appears to have first been created back in 2015 -- used the same C&C server domains as the Powershell backdoor detailed in the 2016 Citizen Lab report.

"Both backdoors display significant similarities in code - although they are written in different languages, the underlying logic is preserved. Both use hardcoded identifiers (most probably campaign ID/target ID)," the ESET research team added.

"In both cases, all network communication from the compromised host is prefixed with these identifiers and encrypted with RC4 using a hardcoded key."

Links between Stealth Falcon and Project Raven

ESET did not reveal the circumstances in which they discovered the new Win32/StealthFalcon backdoor or the targets against who the backdoor was deployed.

However, ESET highlighted some recent discoveries in regards to the identity of the Stealth Falcon operators.

In their report, ESET researchers cited Amnesty International Senior Technologist Claudio Guarnieri, who claimed that the Stealth Falcon hacker group appears to be a private cyber-security contractor named DarkMater, detailed in a January 2019 Reuters report.

The Reuters article described Project Raven, an initiative allegedly employing former NSA operatives who were helping the UAE government track and hack dissidents -- aiming at the same types of targets as Stealth Falcon.

DarkMatter, the company at the center of the Reuters report, denied all accusations.

Not the first cyber-espionage group to (ab)use BITS

Stealth Falcon is not the first cyber-espionage group that has been observed abusing the BITS system to operate.

Other cases include two Chinese state-sponsored hacker grops known as TEMP.Periscope and Tropic Trooper (KeyBoy).

Non-espionage malware strains have also been seen abusing BITS over the past years. Miscreants include the Zlob.Q trojan, the UBoat remote access trojan, and the Rustock backdoor and Linkoptimizer trojan.

Although antivirus detection of BITS abuse has improved in recent years, malware operators will most likely see the benefits of abusing BITS for future operations. Its primary feature is BITS' ability to pause any malicious traffic if the user is using a workstation, operating only in downtime periods. This reduces the chance of human operator detection, altough the malware can still be detected by proper security solutions when it modifies local registries and other BITS settings or scheduled tasks.