Hackers Using a Windows OS Feature to Evade Firewall and Gain Persistence

A novel approach adopted by attackers finds strategies to use Microsoft’s Background Clever Transfer Provider (BITS) so as to deploy malicious payloads on Windows devices stealthily.

In 2020, hospitals, retirement communities, and health care facilities bore the brunt of an at any time-shifting phishing marketing campaign that dispersed personalized backdoors this kind of as KEGTAP, which ultimately paved the way for RYUK ransomware assaults.

But new analysis by FireEye’s Mandiant cyber forensics arm has now discovered a earlier unfamiliar persistence system that shows the adversaries created use of BITS to launch the backdoor.

Released in Home windows XP, BITS is a part of Microsoft Home windows, which tends to make use of idle network bandwidth to facilitate the asynchronous transfer of data files amongst machines. This is attained by generating a task — a container that features the files to obtain or add.

BITS is commonly utilized to provide working method updates to clients as very well as by Windows Defender antivirus scanner to fetch malware signature updates. Moreover Microsoft’s personal merchandise, the company is also set to use by other purposes these as Mozilla Firefox to permit downloads to keep on in the qualifications even when the browser is shut.


“When destructive applications make BITS positions, files are downloaded or uploaded in the context of the services host process,” FireEye scientists said. “This can be beneficial for evading firewalls that may block destructive or unfamiliar processes, and it helps to obscure which software asked for the transfer.”

Specifically, the put up-compromise incidents involving Ryuk bacterial infections were being uncovered to leverage the BITS services to make a new career as a “System update” that was configured to start an executable named “mail.exe,” which in flip activated the KEGTAP backdoor, following making an attempt to obtain an invalid URL.

“The malicious BITS task was set to try an HTTP transfer of a nonexistent file from the localhost, the scientists mentioned. “As this file would never exist, BITS would result in the mistake state and start the notify command, which in this case was KEGTAP.”

The new system is still a further reminder of how a useful software like BITS can be repurposed by attackers to their very own gain. To support incident response and forensic investigations, the researchers have also manufactured available a Python utility called BitsParser that aims to parse BITS database information and extract career and file details for extra evaluation.

Fibo Quantum