Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,198
- Points
- 113
Researchers warn of difficulties in detecting anomalies in the operation of BITS.
Cybersecurity specialists from Elastic have discovered a new malicious program for Windows that uses the built-in Background Intelligent Transfer Service (BITS) function as a command control mechanism.
The backdoor, called BITSLOTH, was revealed on June 25 this year, during a cyber attack on an unnamed Ministry of Foreign Affairs of one of the countries of South America. Researchers monitor the activities of this cybercrime association under the code name REF8747.
According to researchers Seth Goodwin and Daniel Stepanik, the current version of BITSLOTH includes 35 malicious features, such as keylogging and screen capture. The program also has many features for detecting, enumerating, and executing the command line.
It is assumed that the tool has been developed since December 2021 and is used by hackers to collect data. The exact origin of BITSLOTH has not yet been determined, but analysis of the source code points to possible Chinese-speaking authors.
Another possible link to China is the use of the open-source RingQ tool, which is used to encrypt malware and bypass security mechanisms. After that, the software is decrypted and executed directly in memory.
In June 2024, the AhnLab Security Center (ASEC) reported that vulnerable web servers are being used to host web shells that deliver additional malware, including cryptominers using RingQ. These attacks are also linked to Chinese-speaking attackers.
BITSLOTH attacks are also notable for using the STOWAWAY tool for proxying encrypted C2 traffic over HTTP, as well as the IOX port forwarding utility, previously used by the Chinese cyber espionage group Bronze Starlight (known as Emperor Dragonfly) in attacks using the Cheerscrypt ransomware program.
BITSLOTH is loaded using the Sideloading DLL technique, using a legitimate executable file associated with the FL Studio program ("fl.exe"). In the latest version of BITSLOTH, the developers have added a new component to manage the running time of malware on an infected computer.
BITSLOTH is a full-fledged malware program with the ability to execute commands, upload and download files, detect and collect data, including keylogging and screen capture. It can set up a communication mode via HTTP or HTTPS, change or delete its stability, terminate arbitrary processes, disconnect users, restart or shut down the system, and update or delete itself from the host.
Researchers note that the use of the BITS function is particularly attractive to attackers, as many organizations still have difficulties monitoring BITS network traffic and detecting anomalies in the function.
Source
Cybersecurity specialists from Elastic have discovered a new malicious program for Windows that uses the built-in Background Intelligent Transfer Service (BITS) function as a command control mechanism.
The backdoor, called BITSLOTH, was revealed on June 25 this year, during a cyber attack on an unnamed Ministry of Foreign Affairs of one of the countries of South America. Researchers monitor the activities of this cybercrime association under the code name REF8747.
According to researchers Seth Goodwin and Daniel Stepanik, the current version of BITSLOTH includes 35 malicious features, such as keylogging and screen capture. The program also has many features for detecting, enumerating, and executing the command line.
It is assumed that the tool has been developed since December 2021 and is used by hackers to collect data. The exact origin of BITSLOTH has not yet been determined, but analysis of the source code points to possible Chinese-speaking authors.
Another possible link to China is the use of the open-source RingQ tool, which is used to encrypt malware and bypass security mechanisms. After that, the software is decrypted and executed directly in memory.
In June 2024, the AhnLab Security Center (ASEC) reported that vulnerable web servers are being used to host web shells that deliver additional malware, including cryptominers using RingQ. These attacks are also linked to Chinese-speaking attackers.
BITSLOTH attacks are also notable for using the STOWAWAY tool for proxying encrypted C2 traffic over HTTP, as well as the IOX port forwarding utility, previously used by the Chinese cyber espionage group Bronze Starlight (known as Emperor Dragonfly) in attacks using the Cheerscrypt ransomware program.
BITSLOTH is loaded using the Sideloading DLL technique, using a legitimate executable file associated with the FL Studio program ("fl.exe"). In the latest version of BITSLOTH, the developers have added a new component to manage the running time of malware on an infected computer.
BITSLOTH is a full-fledged malware program with the ability to execute commands, upload and download files, detect and collect data, including keylogging and screen capture. It can set up a communication mode via HTTP or HTTPS, change or delete its stability, terminate arbitrary processes, disconnect users, restart or shut down the system, and update or delete itself from the host.
Researchers note that the use of the BITS function is particularly attractive to attackers, as many organizations still have difficulties monitoring BITS network traffic and detecting anomalies in the function.
Source
