Ransomware hackers have adopted a new for secretly infecting Windows machines with malware by exploiting Microsoft BITS (Background Intelligent Transfer Service).
Last year, a number of hospitals, medical centers, and retirement homes became victims of a hacking campaign that targeted them with backdoor malware such as SINGLEMALT and KEGTAP. The ultimate goal of deploying those backdoors was to eventually infect the targeted machines with RYUK ransomware.
In a recent research by the cybersecurity firm FireEye, it was discovered that the hackers have been making use of a persistence mechanism the existence of which was unknown up to that point. Apparently, the hackers have been using the BITS component of the Windows OS to deploy their backdoors into the attacked machines.
The Background Intelligent Transfer Service (BITS) is a component that Windows XP and newer Windows versions have. Its purpose is to utilize network bandwidth that isn’t being used for asynchronous data transfer between systems. The way this feature functions is it creates a container (called a job) that holds the files that are to be uploaded or the ones that get downloaded.
The typical use of BITS is to facilitate automatic OS and Windows Defender malware definitions updates. It is not uncommon for BITS to be used by third-party software and not only by Microsoft products. For instance, certain browsers such as Firefox can tap into this service and use it to perform background software updates when the app itself is not open.
How Hackers Exploit BITS
Apparently, the hackers have found a way to exploit BITS by creating malware apps that create BITS jobs. This allows the malware to download/upload data without getting obstructed by Firewalls or detected by anti-malware tools since the whole activity takes place in the context of the Microsoft service.
In the case of the RYUK attacks, that malware apps that deployed the backdoor for the Ransomware took advantage of BITS and created a job labelled “System Update” that was set to start a file named mail.exe. Once the file is opened it launches the backdoor (KEGTAP) which, in turn, downloads the RYUK Ransomware.
The BITS job created by the infection was programmed to initiate a non-existent file’s transfer from localhost which would result in an error that would trigger the notify command. In this case, that command would be the KEGTAP backdoor.
This hacking campaign shows just how dangerous a service such as BITS could be if a hacker manages to take advantage of it for his own needs. To help analyse BITS database files, the researchers at FireEye have developed the BitsParser utility and made it freely available on GitHub