Threat Research

BITS and Bytes: Examining BITSLOTH, a Newly Discovered Backdoor — Elastic Security Labs

Securonix

BITSLOTH is a newly discovered Windows backdoor that uses the Background Intelligent Transfer Service (BITS) for command-and-control, observed in LATAM-region intrusions with data-collection capabilities such as keylogging and screen capture. It features 35 command handlers, uses legitimate Windows features to evade detection, and relies on a hard-coded mutex and BITS-based persistence; researchers note development spanning several years with RingQ and STOWAWAY components observed in the operation. #BITSLOTH #RINGQ #STOWAWAY #ForeignMinistry #LATAM

Keypoints

  • BITSLOTH is a newly discovered Windows backdoor that uses BITS for C2.
  • It ships with 35 command handlers for discovery, enumeration, execution, and data collection.
  • Key capabilities include keylogging and screen capture.
  • The authors are suspected to be native Chinese speakers based on strings and locale.
  • The malware evades detection by leveraging legitimate Windows features rather than full obfuscation.
  • Persistence is achieved via BITS jobs, and a hard-coded mutex ensures a single running instance.
  • Initial access involved PSEXEC with lateral movement and side-loading of a signed FL Studio binary (RingQ/IOX usage).

MITRE Techniques

  • [T1059.003] Windows Command Shell – Executes commands and files via a Windows shell. – “Executes commands and files via ShellExecuteW.”
  • [T1056.001] Keylogging – Retrieves keystrokes from the user. – “Record keystrokes from victim machine.”
  • [T1113] Screen Capture – Captures screenshots of the desktop. – “Take screenshots of victim machine desktop.”
  • [T1057] Process Discovery – Identifies running processes. – “Collect running processes via WTSEnumerateProcessesW.”
  • [T1007] System Service Discovery – Enumerates Windows services. – “Get Windows services via EnumServicesStatusW.”
  • [T1547] Boot or Logon Autostart Execution – Establishes persistence via startup mechanisms. – “Creates BITS jobs for persistence.”
  • [T1021.001] Remote Services – Moves laterally and executes commands on remote hosts. – “The intrusion was traced back to PSEXEC execution on one of the infected endpoints.”
  • [T1218] Signed Binary Proxy Execution – Uses a signed binary for stealthy execution. – “side-loading technique using a signed version of FL Studio.”

Indicators of Compromise

  • [SHA-256] s.dll – 4a4356faad620bf12ff53bcfac62e12eb67783bd22e66bf00a19a4c404bf45df, and 2 more hashes
  • [SHA-256] 125.exe – dfb76bcf5a3e29225559ebbdae8bdd24f69262492eca2f99f7a9525628006d88
  • [SHA-256] setup_wm.exe – 4fb6dd11e723209d12b2d503a9fcf94d8fed6084aceca390ac0b7e7da1874f50
  • [IPv4-addr] C2 servers – 216.238.121.132, 45.116.13.178, and 15.235.132.67
  • [Domain] updater.microsoft.com – updater.microsoft.com

Read more: https://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth