Saturday, February 27, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Newly discovered cyber-espionage malware abuses Windows BITS service

September 9, 2019
in Internet Security
Newly discovered cyber-espionage malware abuses Windows BITS service
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Security researchers have found another instance of a malware strain abusing the Windows Background Intelligent Transfer Service (BITS).

The malware appears to be the work of a state-sponsored cyber-espionage group that researchers have been tracking for years under the name of Stealth Falcon.

You might also like

Fastest VPN in 2021 | ZDNet

Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid

Chrome will soon try HTTPS first when you type an incomplete URL

The first and only report on this hacking group has been published in 2016 by Citizen Lab, a non-profit organization focusing on security and human rights.

According to the Citizen Lab report, the Stealth Falcon group has been in operation since 2012 and was seen targeting United Arab Emirates (UAE) dissidents. Previous tools included a very stealthy backdoor written in PowerShell.

New malware uses BITS as C&C communications channel

But in a report published today, security researchers from Slovak cyber-security firm ESET said they found a new tool, even stealthier than the first.

Its stealth features come from the fact that the malware uses the Windows BITS system to contact and talk to its command-and-control (C&C) server.

Windows BITS is the default system through which Microsoft sends Windows updates to users all over the world.

The BITS service works by detecting when the user is not using their network connection and using the downtime to download Windows updates. Other apps can also tap into the BITS system to download their own updates. For example, Mozilla is currently working on porting the Firefox update system to Windows BITS.

ESET named the strain they found Win32/StealthFalcon. They said this malware works as a basic backdoor that allows Stealth Falcon operators to download and run additional code on infected hosts, or to exfiltrate data to remote servers.

The research team said the Win32/StealthFalcon backdoor didn’t communicate with its remote server via classic HTTP or HTTPS requests but hid C&C traffic inside BITS. Researchers believe this was done to bypass firewalls, as companies tend to ignore BITS traffic, knowing it most likely contains software updates, rather than anything malicious.

Obvious Stealth Falcon connections

ESET researchers said connecting this new backdoor to the rest of the Stealth Falcon group’s activity was rather trivial.

For starters, the Win32/StealthFalcon backdoor — which appears to have first been created back in 2015 — used the same C&C server domains as the Powershell backdoor detailed in the 2016 Citizen Lab report.

“Both backdoors display significant similarities in code – although they are written in different languages, the underlying logic is preserved. Both use hardcoded identifiers (most probably campaign ID/target ID),” the ESET research team added.

“In both cases, all network communication from the compromised host is prefixed with these identifiers and encrypted with RC4 using a hardcoded key.”

Links between Stealth Falcon and Project Raven

ESET did not reveal the circumstances in which they discovered the new Win32/StealthFalcon backdoor or the targets against who the backdoor was deployed.

However, ESET highlighted some recent discoveries in regards to the identity of the Stealth Falcon operators.

In their report, ESET researchers cited Amnesty International Senior Technologist Claudio Guarnieri, who claimed that the Stealth Falcon hacker group appears to be a private cyber-security contractor named DarkMater, detailed in a January 2019 Reuters report.

The Reuters article described Project Raven, an initiative allegedly employing former NSA operatives who were helping the UAE government track and hack dissidents — aiming at the same types of targets as Stealth Falcon.

DarkMatter, the company at the center of the Reuters report, denied all accusations.

Not the first cyber-espionage group to (ab)use BITS

Stealth Falcon is not the first cyber-espionage group that has been observed abusing the BITS system to operate.

Other cases include two Chinese state-sponsored hacker grops known as TEMP.Periscope and Tropic Trooper (KeyBoy).

Non-espionage malware strains have also been seen abusing BITS over the past years. Miscreants include the Zlob.Q trojan, the UBoat remote access trojan, and the Rustock backdoor and Linkoptimizer trojan.

Although antivirus detection of BITS abuse has improved in recent years, malware operators will most likely see the benefits of abusing BITS for future operations. Its primary feature is BITS’ ability to pause any malicious traffic if the user is using a workstation, operating only in downtime periods. This reduces the chance of human operator detection, altough the malware can still be detected by proper security solutions when it modifies local registries and other BITS settings or scheduled tasks.

Credit: Zdnet

Previous Post

New Malware Uses Windows BITS Service to Stealthy Exfiltrate Data

Next Post

Stop Installing Packages Globally

Related Posts

Fastest VPN in 2021 | ZDNet
Internet Security

Fastest VPN in 2021 | ZDNet

February 27, 2021
Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid
Internet Security

Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid

February 27, 2021
Chrome will soon try HTTPS first when you type an incomplete URL
Internet Security

Chrome will soon try HTTPS first when you type an incomplete URL

February 27, 2021
Go malware is now common, having been adopted by both APTs and e-crime groups
Internet Security

Go malware is now common, having been adopted by both APTs and e-crime groups

February 27, 2021
Why your diversity and inclusion efforts should include neurodiverse workers
Internet Security

Why your diversity and inclusion efforts should include neurodiverse workers

February 26, 2021
Next Post
How to Change the WordPress Admin Login Logo

Stop Installing Packages Globally

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

New AI Machine Learning Reduces Mental Health Misdiagnosis
Machine Learning

New AI Machine Learning Reduces Mental Health Misdiagnosis

February 27, 2021
Fastest VPN in 2021 | ZDNet
Internet Security

Fastest VPN in 2021 | ZDNet

February 27, 2021
Increasing Adoption of Informatics will Promote Growth of Data Analytics Outsourcing Market
Data Science

Increasing Adoption of Informatics will Promote Growth of Data Analytics Outsourcing Market

February 27, 2021
MindMed Closes Acquisition of HealthMode, a Leading Machine Learning Digital Medicine Company
Machine Learning

MindMed Closes Acquisition of HealthMode, a Leading Machine Learning Digital Medicine Company

February 27, 2021
How AI Can Be Used in Agriculture Sector for Higher Productivity? | by ANOLYTICS
Neural Networks

How AI Can Be Used in Agriculture Sector for Higher Productivity? | by ANOLYTICS

February 27, 2021
Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid
Internet Security

Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid

February 27, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • New AI Machine Learning Reduces Mental Health Misdiagnosis February 27, 2021
  • Fastest VPN in 2021 | ZDNet February 27, 2021
  • Increasing Adoption of Informatics will Promote Growth of Data Analytics Outsourcing Market February 27, 2021
  • MindMed Closes Acquisition of HealthMode, a Leading Machine Learning Digital Medicine Company February 27, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates