Researchers have discovered a new piece of malware which creates a backdoor by abusing Windows BITS service in order to hide traffic be sent and received by the operator's command and control servers. This is not the first instance of researchers discovering malware designed to abuse the BITS system with the first use case dating back to 2015, maybe even earlier. The malware appears to be used by a state-sponsored cyberespionage group named Stealth Falcon. More on the group and the links to the malware to follow.
In a report published by the Slovak security firm, ESET details of the new piece of malware are illuminated upon. Researchers have called the malware Win32/StealthFalcon, with researchers believing that this new piece of malware is stealthier than previous tools known to be employed by the cyber espionage group. As alluded to above much of the malware’s stealth ability comes down to its abuse of the BITS system. BITS or Background Intelligent Transfer Service was first introduced by Windows upon the release of Windows XP and has been included in subsequent versions of the operating system. BITS allows for the transfer of files between machines using idle network bandwidth. This system is used by Windows to send updates to users, as one example, but other apps also use it to download updates while the user is not using bandwidth.
When used by Stealth Falcon the malware is used to create a backdoor onto a targets machine which can then be used to run additional code on the machine as well as exfiltrate data to servers controlled by the espionage group. Historically communication between the victim’s machine and the attacker’s servers was done via HTTP or HTTPS, Stealth Falcon, however, abuses BITS. The reason for this is that most companies closely monitor the HTTP or HTTPS requests but often ignore BITS as it is assumed, now proven wrongly, that the system is solely used for updates.
This in practice means that communications between the infected machine and Stealth Falcon’s servers will bypass firewalls and evade detection. Another advantage to using BITS is that transfer of data is automatically continued it the victim logs out or reboots. Further, the system by design monitors the amount of bandwidth used so the victim may not notice anything suspicious.
The malware’s stealth ability is boosted by an included module that if no communication can be achieved with Stealth Falcon’s servers the backdoor will remove itself after a certain number of attempts. According to ESET, the malware is capable of the following functionality,
“Win32/StealthFalcon is a DLL file which, after execution, schedules itself as a task running on each user login. It only supports basic commands but displays a systematic approach to data collection, data exfiltration, employing further malicious tools, and updating its configuration…Furthermore, Win32/StealthFalcon collects files and prepares them for exfiltration by storing an encrypted copy with a hardcoded prefix in a temporary folder. It then regularly checks for such files and exfiltrates them automatically. After the files have been successfully exfiltrated, the malware safe-deletes all log files and collected files – before deleting the files, it rewrites them with random data – to prevent forensic analysis and recovery of the deleted data.”
Infamous and Obvious
The earliest mention of Stealth Falcon dates back to 2012 and the group has been seen actively targeting political activists and journalists in the Middle East. Much of our knowledge of the group is due to the work of the non-profit organization Citizen Lab and a report they published in 2016. The group is believed to be made up of ex-NSA employees employed by another corporation believed to have links to the United Arab Emirates government. Stealth Falcon’s mandate seems to be to track and gather information on journalists and political dissidents.
As to the links in the malware previously used by Stealth Falcon and the latest malware used, they appear to be obvious. According to ESET Win32/StealthFalcon appears to have been developed in 2015. Further, the same command and control servers were used in the PowerShell backdoor detailed in the 2016 Citizen Lab report as with the recent BITS backdoor. The research team also noted that,
“Both backdoors display significant similarities in code - although they are written in different languages, the underlying logic is preserved. Both use hardcoded identifiers (most probably campaign ID/target ID)… In both cases, all network communication from the compromised host is prefixed with these identifiers and encrypted with RC4 using a hardcoded key.”
These similarities and obvious links are helping researchers link Stealth Falcon to Project Raven. According to a Reuter article Amnesty International Senior Technologist Claudio Guarnieri claimed that Stealth Falcon operators are linked to a private organization DarkMater, a private cybersecurity contractor. Further, the article described Project Raven, an initiative allegedly employing former NSA operatives who were helping the UAE government track and hack dissidents. The exact same targets Stealth Falcon appears mandated to go after.
The abuse of BITS is not new but it is rare compared with tried and tested methods. That is not to say that anti-virus vendors have ignored BITS and many products have improved their ability to detect malware exploiting the system. This is not to say that we won’t see further abuse of BITS by other malware developers as the system by default allows for less chance of a victim detecting that something is suspicious. However, security software will detect if the malware modifies local registries and other BITS settings or scheduled tasks. When abused for stealth detection can still be a challenge.