A novel technique adopted by attackers finds ways to use Microsoft’s Background Intelligent Transfer Service (BITS) so as to deploy malicious payloads on Windows machines stealthily.

In 2020, hospitals, retirement communities, and medical centers bore the brunt of an ever-shifting phishing campaign that distributed custom backdoors such as KEGTAP, which ultimately paved the way for RYUK ransomware attacks.

But new research by FireEye’s Mandiant cyber forensics arm has now revealed a previously unknown persistence mechanism that shows the adversaries made use of BITS to launch the backdoor.

password auditor

Introduced in Windows XP, BITS is a component of Microsoft Windows, which makes use of idle network bandwidth to facilitate the asynchronous transfer of files between machines. This is achieved by creating a job — a container that includes the files to download or upload.

BITS is commonly used to deliver operating system updates to clients as well as by Windows Defender antivirus scanner to fetch malware signature updates. Besides Microsoft’s own products, the service is also put to use by other applications such as Mozilla Firefox to enable downloads to continue in the background even when the browser is closed.

“When malicious applications create BITS jobs, files are downloaded or uploaded in the context of the service host process,” FireEye researchers said. “This can be useful for evading firewalls that may block malicious or unknown processes, and it helps to obscure which application requested the transfer.”

password auditor

Specifically, the post-compromise incidents involving Ryuk infections were found to leverage the BITS service to create a new job as a “System update” that was configured to launch an executable named “mail.exe,” which in turn triggered the KEGTAP backdoor, after attempting to download an invalid URL.

“The malicious BITS job was set to attempt an HTTP transfer of a nonexistent file from the localhost, the researchers noted. “As this file would never exist, BITS would trigger the error state and launch the notify command, which in this case was KEGTAP.”

The new mechanism is yet another reminder of how a useful tool like BITS can be repurposed by attackers to their own advantage. To aid incident response and forensic investigations, the researchers have also made available a Python utility called BitsParser that aims to parse BITS database files and extract job and file information for additional analysis.