Newly Discovered Cyber-Espionage Malware Abuses Windows BITS Service

ZDNet reported earlier today that security researchers have found another instance of a malware strain abusing the Windows Background Intelligent Transfer Service (BITS).

The malware appears to be the work of a state-sponsored cyber-espionage group that researchers have been tracking for years under the name of Stealth Falcon.

The first and only report on this hacking group has been published in 2016 by Citizen Lab, a non-profit organization focusing on security and human rights.

According to the Citizen Lab report, the Stealth Falcon group has been in operation since 2012 and was seen targeting United Arab Emirates (UAE) dissidents. Previous tools included a very stealthy backdoor written in PowerShell.

Richard Bejtlich , Principal Security Strategist,  Corelight
September 10, 2019
As with most nefarious activity these days, HTTPS remains the difficult case.
As noted in the story by Catalin Cimpanu, other threat groups have conducted command-and-control using Microsoft's Background Intelligent Transfer Service (BITS) for several years, and intruders have discussed the capability to do so for over ten years. BITS is an interesting protocol in that it can use clear-text HTTP, encrypted HTTPS, or Microsoft's own Server Message Block (SMB) protocol. Intru ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments

In this article