ZDNet reported earlier today that security researchers have found another instance of a malware strain abusing the Windows Background Intelligent Transfer Service (BITS).
The malware appears to be the work of a state-sponsored cyber-espionage group that researchers have been tracking for years under the name of Stealth Falcon.
The first and only report on this hacking group has been published in 2016 by Citizen Lab, a non-profit organization focusing on security and human rights.
According to the Citizen Lab report, the Stealth Falcon group has been in operation since 2012 and was seen targeting United Arab Emirates (UAE) dissidents. Previous tools included a very stealthy backdoor written in PowerShell.
As noted in the story by Catalin Cimpanu, other threat groups have conducted command-and-control using Microsoft\’s Background Intelligent Transfer Service (BITS) for several years, and intruders have discussed the capability to do so for over ten years. BITS is an interesting protocol in that it can use clear-text HTTP, encrypted HTTPS, or Microsoft\’s own Server Message Block (SMB) protocol. Intruders who use HTTP or SMB are fairly easy to find. Clear-text HTTP can be observed and interpreted directly, while enterprise networks should rarely allow SMB beyond their gateways, as it is generally considered an \”intranet\” protocol. As with most nefarious activity these days, HTTPS remains the difficult case. Recognizing abuse of the protocol as a transport mechanism requires gathering high-fidelity network security monitoring data, paired with threat intelligence.