The notorious Stealth Falcon cyberespionage group has adopted a new backdoor using the Windows Background Intelligent Transfer Service (BITS) in its ongoing spyware attacks against journalists, activists and dissidents in the Middle East.
According to researchers at ESET, attackers are exploiting the BITS “notification” feature in Windows. The feature allows attackers to create a re-occurring task to download and install malware, even after the original malware is extracted.
Stealth Falcon was first identified in 2012 as a cyberespionage group targeting political activists and journalists in the Middle East (and in January, Amnesty International said it believed that Stealth Falcon and a similar cyberespionage group named Project Raven were actually the same). In 2016, Citizen Lab outlined some of the group’s tactics and techniques, highlighting Stealth Falcon’s use of booby-trapped Microsoft Word document. If opened, the document delivered a malicious payload.
“The macro passes a Base64-encoded command to Windows PowerShell, which gathers system information via Windows Management Instrumentation (WMI), and attempts to determine the installed version of .NET by querying the registry,” according to Citizen Lab.
Stealth Falcon and BITS
A fresh look at Stealth Falcon by ESET reveals the group has once again evolved and is now using a new backdoor, identified as Win32/StealthFalcon, which leverages the standard Windows component BITS.
“BITS was designed to transfer large amounts of data without consuming a lot of network bandwidth, which it achieves by sending the data with throttled throughput so as not to affect the bandwidth needs of other applications,” described ESET. BITS is used by Windows Update and third-party software for application updates.
“This means that BITS tasks are more likely to be permitted by host-based firewalls,” they said.
Researchers note that BITS has advantages over similar tools used by adversaries. For starters, it uses a system’s COM interface for communicating to a command-and-control server (C2), making it harder for endpoint security software to identify the communications as malicious. Secondly, BITS communication can withstand a number of interruptions, such as a network outage, the user logging out of a system or a computer reboot.
“Because BITS adjusts the rate at which files are transferred based on the bandwidth available, the user has no reason for suspicion,” researchers wrote.
The way Win32/StealthFalcon works is that it schedules itself as a task running on each user login. It’s capable of handling basic commands such as data collection and exfiltration along with writing downloaded data to local files.
Another, not-so-well-understood evasion technique tied to Win32/StealthFalcon is a curious function that is executed before any malicious payload is started, according to ESET.
“It references 300+ imports, but does not use them at all. Instead, it always returns and continues with the payload afterward, without condition checks that would suggest it is an anti-emulation trick,” wrote researchers.
BITS Abuse Not Unique
The BITS service has a long history of being abused by attackers dating back to 2007. And even up until today, BITS is still an attractive feature for hackers because the Windows component includes the ability to retrieve or upload files using an application trusted by host firewalls.
BITS is not the exclusive of the Stealth Falcon group. Last year, Kaspersky researchers reported the FruityArmor APT group – a Middle East-based cyberespionage gang – used it as a backdoor to communicated with C2 servers.
In 2016, Dell SecureWorks reported that the BITS feature was being abused by an attacker who was using it to infect targets with the DNSChanger malware called Zlob.Q. In that case, investigators noticed BITS activity, but since no malware was initially detected there were no red flags. Researchers said attackers eventually used the cloak of BITS legitimacy to eventually download malware and infect the host.
Past suggested mitigation of BITS begins with awareness, researchers said. A number of security firms offer a way to search for malicious BITS “notification” tasks to help eliminate the problem. It also recommends impacted parties restrict access to suspicious domains.