The latest threat to Windows users has been discovered in the form of BITSLOTH, a sophisticated backdoor that leverages the Background Intelligent Transfer Service (BITS) for its command-and-control mechanism. Earlier this summer, the malware had been spotted during a detection of attempted intrusion into the Foreign Ministry of a South American government in the LATAM region, but has not been publicly documented and is believed to have been in development for several years.
The BITSLOTH backdoor, which has been in development for several years, contains 35 handler functions, including capabilities for keylogging, screen capturing, discovery, enumeration, and command-line execution. These features suggest the tool is designed for exfiltrating data from targets.
BITSLOTH Backdoor Capabilities and Features
The BITSLOTH intrusion was initially observed on June 25 during an incident response engagement. Researchers from Elastic Labs observed that the attackers had used a variety of publicly available tools for their operations, with BITSLOTH being the only custom malware component.
One of the primary forms of BITSLOTH execution was through the use of a program called ‘RINGQ’ intended for shellcode sideloading that can convert any WIndows executable file to generate custom shellcode after placing it into a text file, allowing the malware to bypass hash-based blocklists or static signature defenses in popular anti-malware programs.
The BITSLOTH malware has been under active development since at least December 2021, as evidenced by the discovery of older samples. The developer refers to the client component as the ‘Slaver’ and the C2 server as the ‘Master.’
One notable feature is the use of BITS for C2 communication. BITS is a Windows system administration feature that enables file transfers, and its typical association with software updates makes it appear as trusted traffic, often overlooked by security solutions.
BITSLOTH cancels any existing BITS jobs on the victim machine that match specific display names, such as ‘WU Client Download,’ to operate from a clean state. It then creates a new BITS download job with the name ‘Microsoft Windows,’ masquerading the malware as a harmless routine update.
When the BITS job state changes, BITSLOTH is executed through the SetNotifyCmdLine function, establishing persistence on the infected system. The malware then begins requesting instructions from the C2 server using the “WU Client Download” job, with the request URL containing the victim’s MAC address.
The BITSLOTH backdoor has 35 command handler functions, allowing the attackers to perform a wide range of activities, including running commands, uploading and downloading files, and collecting sensitive data through keylogging and screen capturing. The commands received from the C2 server are obfuscated using a single-byte XOR (0x2) before execution.
Persistence and Communication
BITSLOTH achieves persistence via the created BITS scheduled job named ‘Microsoft Windows‘, which sets the destination URL to a legitimate-looking domain. This unique toolmark allowed researchers to pivot to additional samples showing that the malware family had been in circulation for several years. The malware has been configured with several persistence capabilities to remain on systems after initial infection.
The request URL is generated by combining the MAC address with a hard-coded string, and in response, the malware receives a 12-byte structure containing a unique ID for the job, command ID for the handler, and a response token.
BITSLOTH presents a significant threat due to targets due to its stealthy nature and extensive capabilities, the researchers have shared a list of indicators of compromise to help organizations and entities in detecting potential intrusion of the BITSLOTH malware on systems and deployment of its backdoor.
