Elastic Security Labs has uncovered a new threat targeting Windows systems, known as “BITSLOTH.” This malicious software cleverly uses the Background Intelligent Transfer Service (BITS) for its command-and-control (C2) communications. The malware was detected earlier this summer during an intrusion into the Foreign Ministry of a South American government, part of an activity tracked under REF8747.

BITSLOTH is a sophisticated Windows backdoor that had not been publicly documented until now. It appears to have been under development for several years. The latest version includes 35 handler functions, enabling it to perform keylogging, screen capture, and various commands for discovering, enumerating, and executing tasks to collect data from infected systems.

“BITSLOTH leverages BITS, a built-in Microsoft feature, for command-and-control communication,” explained the researchers. The malware uses numerous command handlers for different purposes, including data discovery, enumeration, execution, and collection. Additionally, the malware’s logging functions and certain text strings suggest the developers are likely native Chinese speakers.

The malware was discovered during a specific intrusion on June 25. The attack was traced back to PSEXEC execution on one of the compromised endpoints. The attackers used publicly available tools like RINGQ, IOX, STOWAWAY, GODPOTATO, NOPAC, MIMIKATZ, PPLFAULT, and CERTIFY, with BITSLOTH being the unique element. RINGQ was used to load IOX, a port forwarder, and STOWAWAY to proxy encrypted traffic to their C2 servers.

Once they gained initial access, the attackers deployed BITSLOTH as a DLL named “flengine.dll” in the ProgramData directory. They then executed the music production software FL Studio (fl.exe) to activate the malware. By using a signed version of FL Studio, they managed to avoid detection through side-loading techniques.

Analysis shows that BITSLOTH has been in development since at least December 2021, with older samples revealing continuous development. The malware uses terms like “Slaver” for clients and “Master” for the C2 server. Interestingly, BITSLOTH doesn’t use significant obfuscation techniques for control flow or string encryption, making it easier to analyze.

BITSLOTH uses a hard-coded mutex to ensure only one instance runs at any time. It follows a traditional client/server architecture, embedding the IP and port of the C2 server in its configuration. The identified IP addresses linked to BITSLOTH include 216.238.121[.]132 and 45.116.13[.]178.

A standout feature of BITSLOTH is its use of BITS for C2 communications. The BITS API allows the creation, enumeration, and management of file transfer jobs, which BITSLOTH manipulates to avoid detection. Researchers noted that many organizations struggle to monitor BITS traffic, making it an attractive method for attackers.

“Many organizations lack visibility into BITS network traffic, making this an appealing target,” the researchers stated. BITSLOTH disguises its activities as legitimate BITS jobs, canceling existing jobs with names like “WU Client Download” and “WU Client Upload” to operate from a clean slate.

Upon activation, BITSLOTH configures auto-start functionality by creating new BITS download jobs with seemingly benign names, using them to execute the malware based on changes in transfer states. This technique has enabled BITSLOTH to remain undetected and active for several years.

Detection rules and behavior prevention events associated with BITSLOTH include persistence via BITS job notification command lines, accessing Local Security Authority Subsystem Service (LSASS), shellcode injection, and suspicious parent-child processes. Researchers have developed YARA rules to assist in the detection of BITSLOTH, with specific indicators such as hashes and C2 IP addresses identified.

The discovery of BITSLOTH highlights the advanced techniques attackers use to avoid detection. The research team emphasizes the importance of monitoring BITS traffic to detect such covert activities. Elastic Security Labs continues to track and analyze BITSLOTH, contributing to ongoing efforts to enhance cybersecurity across organizations. Additionally, organizations are encouraged to implement robust monitoring systems and regularly update their defenses to mitigate the risks posed by advanced persistent threats like BITSLOTH.