Researchers have identified BITSLOTH, a novel Windows backdoor that exploits the Background Intelligent Transfer Service (BITS) for covert command-and-control communication.
The previously undocumented malware, with roots tracing back several years, was discovered in a recent LATAM intrusion.
Equipped with extensive capabilities, including keylogging, screen capture, and system reconnaissance, BITSLOTH is designed to exfiltrate sensitive data, while evidence suggests Chinese-speaking threat actors are behind this evolving threat.
Attackers compromised a South American Foreign Ministry server on June 25th using a multi-stage attack.
The intrusion began with PSEXEC, which leveraged tools like RINGQ to load in-memory payloads, bypassing traditional defenses. IOX was used for port forwarding, while STOWAWAY proxied encrypted traffic.
BITSLOTH was subsequently installed via side-loading within FL Studio, indicating advanced tradecraft and highlighting the use of publicly available tools for complex attacks, emphasizing the need for robust defense-in-depth strategies.
Malware actively developed since December 2021 exhibits a clear command-and-control structure, with components labeled ‘Slaver’ and ‘Master’.
Despite lacking obfuscation, the malware includes debugging and logging strings, revealing development insights and potential operator instructions.
Recent versions introduce a scheduling component, mirroring advanced malware like EAGERBEE, allowing for precise control over Bitsloth’s operational timing within compromised systems.
It is a backdoor that uses BITS (Background Intelligent Transfer Service) for C2 communication by abusing the legitimate functionalities of BITS to blend in with regular traffic, which first cancels existing BITS jobs and retrieves machine information.
Then it creates a new BITS download job with a benign-looking URL ([http://updater.microsoft](http://updater.microsoft)[.]com/index.aspx) but sets a notification command to execute the malware itself (C:\ProgramData\Media\setup_wm.exe) when the transfer state changes, which establishes persistence.
To communicate with the C2 server, BITSLOTH creates another BITS download job with a URL constructed from the victim’s MAC address and a hardcoded string (wu.htm).
The C2 server responds with a 12-byte structure containing job/handler IDs and a token. Data is exchanged through temporary files with names starting with “wm.”.
Bitsloth is sophisticated malware with a command-and-control infrastructure leveraging BITS for covert communication, and employs a 35-function command handler to execute diverse malicious actions on infected systems, including process enumeration, system information gathering, file manipulation, remote code execution, persistence mechanisms, and data exfiltration.
According to Elastic Security Labs, the malware obfuscates C2 communication with XOR encryption and utilizes BITS upload jobs to transfer stolen data in plaintext, highlighting a critical security vulnerability.
It is a sophisticated backdoor equipped with extensive post-compromise capabilities and performs reconnaissance through system and file enumeration, data exfiltration via keylogging and screen capturing, and lateral movement by executing files and commands.
Additionally, it maintains persistence through configuration modification and leverages standard Windows APIs for stealthy operations. Despite its age, BITSLOTH remains active and underutilized, posing a significant threat due to its comprehensive feature set and evasive tactics.
%20for%20covert%20command-and-control%20communication.%C2%A0){kind=link}