Cybersecurity researchers have identified a new Windows backdoor malware called BITSLOTH, linked to a cyber attack on a South American government’s Foreign Ministry in June 2024 [6].
Description
This sophisticated malware [7], known as REF8747, uses the Background Intelligent Transfer Service (BITS) for command-and-control communication [1] [2] [3] [4] [5] [6] [7], making it difficult for organizations to detect unusual network traffic [6]. BITSLOTH is a fully-featured backdoor with keylogging and screen capture capabilities, enabling it to execute commands, upload and download files [6], perform enumeration [6], and harvest sensitive data [1] [6]. Developed since December 2021 [4], it utilizes the open-source encryption tool RingQ and DLL side-loading techniques. The malware can set communication modes to HTTP or HTTPS, terminate processes [4] [5], log off users [4] [5], and update or delete itself from the host [4] [5]. BITSLOTH integrates with STOWAWAY for encrypted C2 traffic over HTTP and is associated with Chinese threat actors targeting vulnerable web servers. It includes command-line execution, scheduled tasks [1] [7], discovery [1] [2] [3] [4] [5] [6] [7], and data harvesting capabilities, indicating a high level of sophistication [7]. Linked to the Chinese cyber espionage group Bronze Starlight [7], BITSLOTH was found in a recent LATAM intrusion involving a South American Foreign Ministry server [3]. Installed via side-loading within FL Studio [3], it poses a significant threat due to its comprehensive feature set and evasive tactics [3].
Conclusion
The discovery of BITSLOTH underscores the importance of enhanced security measures, including comprehensive monitoring [2], threat detection [2], regular security updates [2], and patch management [2]. Cybersecurity professionals must strengthen endpoint security [1], monitor networks continuously, update systems [1], implement behavioral analysis [1], segment networks [1], and educate users to defend against BITSLOTH and similar threats [1]. This ongoing battle between cybersecurity professionals and cybercriminals highlights the need for a proactive and multi-layered approach to cybersecurity [1].
References
[1] https://northerntribesecurity.blogspot.com/2024/08/stealthy-bitsloth-backdoor-exploits.html
[2] https://www.krofeksecurity.com/new-windows-backdoor-bitsloth-exploiting-bits-for-stealthy-communication/
[3] https://cyberpress.org/bitsloth-malware-bypasses-endpoints/
[4] https://thehackernews.com/2024/08/new-windows-backdoor-bitsloth-exploits.html
[5] https://vulners.com/thn/THN:7E5926DBD3D98743117430CF9F1AFC17
[6] https://cyber.vumetric.com/security-news/2024/08/02/new-windows-backdoor-bitsloth-exploits-bits-for-stealthy-communication/
[7] https://cybermaterial.com/new-bitsloth-backdoor-uses-bits-for-stealth/
