August 2, 2024 at 07:00AM
Researchers have identified a new Windows backdoor, known as BITSLOTH, using the Background Intelligent Transfer Service for command-and-control. It’s used by threat actors for keylogging, screen capturing, and data gathering. The malware also utilizes an open-source tool called RingQ, with potential ties to Chinese speakers. The attack leverages various tactics, including proxying encrypted traffic and DLL side-loading.
From the meeting notes, it appears that a new malware strain called BITSLOTH has been discovered by cybersecurity researchers. This backdoor exploits a built-in Windows feature, Background Intelligent Transfer Service (BITS), as a command-and-control mechanism. The malware has various capabilities, including keylogging, screen capture, file manipulation, and communication over HTTP or HTTPS using BITS.
Additionally, there are potential links to a Chinese-speaking threat actor, as suggested by the use of Chinese language strings in the code and the deployment of open-source tool RingQ. The attack also involves the use of STOWAWAY for proxying encrypted C2 traffic over HTTP and an iox port forwarding utility.
The malware is loaded using DLL side-loading techniques by masquerading as a legitimate executable associated with FL Studio. It has the ability to elude detection and update or delete itself from the host. The medium of BITS for C2 communication is seen as advantageous for adversaries due to the difficulty in monitoring BITS network traffic within organizations.
The discovery of BITSLOTH is significant given its advanced capabilities and the challenge it presents in terms of detection and mitigation. This information provides valuable insights into the evolving landscape of cyber threats and the need for heightened vigilance and security measures.