Security News > 2021 > April > Hackers Using a Windows OS Feature to Evade Firewall and Gain Persistence
New research by FireEye's Mandiant cyber forensics arm has now revealed a previously unknown persistence mechanism that shows the adversaries made use of BITS to launch the backdoor.
Introduced in Windows XP, BITS is a component of Microsoft Windows, which makes use of idle network bandwidth to facilitate the asynchronous transfer of files between machines.
This is achieved by creating a job - a container that includes the files to download or upload. BITS is commonly used to deliver operating system updates to clients as well as by Windows Defender antivirus scanner to fetch malware signature updates.
Specifically, the post-compromise incidents involving Ryuk infections were found to leverage the BITS service to create a new job as a "System update" that was configured to launch an executable named "Mail.exe," which in turn triggered the KEGTAP backdoor, after attempting to download an invalid URL. "The malicious BITS job was set to attempt an HTTP transfer of a nonexistent file from the localhost, the researchers noted."As this file would never exist, BITS would trigger the error state and launch the notify command, which in this case was KEGTAP.".
The new mechanism is yet another reminder of how a useful tool like BITS can be repurposed by attackers to their own advantage.
To aid incident response and forensic investigations, the researchers have also made available a Python utility called BitsParser that aims to parse BITS database files and extract job and file information for additional analysis.
News URL
Related news
- Windows driver zero-day exploited by Lazarus hackers to install rootkit (source)
- 0-day in Windows driver exploited by North Korean hackers to deliver rootkit (CVE-2024-38193) (source)
- Hackers use PHP exploit to backdoor Windows systems with new malware (source)
- Week in review: SonicWall critical firewalls flaw fixed, APT exploits WPS Office for Windows RCE (source)