What Is Background Intelligent Transfer Service Downloading

In the last few months, cybercrime gangs have abused the Windows Background Intelligent Transfer Service (BITS) in malware as a way of masquerading their operations.

In this article, nosotros are going to learn well-nigh BITS, Malware is using the Bits feature for nefarious reasons, but at that place are means to forbid and find scenarios of this nature.

What is Windows Background Intelligent Transfer Service?

BITS is a service available on Windows operating organisation and the default fashion through which Microsoft sends Windows updates to users all over the globe. Applications and system components, including Windows Update, use BITS to evangelize operating system and application updates so they can exist downloaded with minimal disruption.

Figure i: BITS service and its configuration (automatic way).

BITS works based on jobs with 1 or more than files to download and upload depending on the number of applications information technology interacts with. The BITS service runs in a service host process and it can schedule transfers such every bit the well-known Windows Updates. Information on the jobs, files and states is stored in a local database (BITS QMGR).

How criminals are using BITS

The massive usage of $.25 in the wild past criminal groups is not new. For instance, a backdoor used by the infamous Stealth Falcon group takes advantage of this service to communicate with the C2 server.

ESET research team said the Win32/StealthFalcon backdoor didn't communicate with its remote server via classic HTTP or HTTPS requests but hid C&C traffic within Bits.

Bits was designed to work together with Windows applications and download and upload information in a stealthy way. Because of this, this resource can be useful to evade firewalls that may block malicious or unknown processes — and, of form, it helps to masquerade which applications are requesting or downloading information from the internet.

One of the most powerful features is that BITS transfers are asynchronous and the application that created a task may not be running when the requested transfers complete. In this sense, criminals have used this characteristic as a method for creating the persistence of malicious applications for a long time.

Some other key betoken from the criminal's point of view is how data is kept. Once command data is stored in a database instead of traditional registry locations, many tools and forensic analysts may not pay attention and place malicious persistence via BITS early.

Downloading the malicious binary

$.25 commands tin be hardcoded inside malwares' codes, PowerShell loaders, then on. The jobs can be created past using API function calls or via the bitsadmin command-line tool. Figure 2 shows how a malicious file named "malware.exe" could be retrieved from an HTTPS C2 server and stored in the C:\windows binder.

Effigy 2: Using bitsadmin to create a chore that downloads a malicious executable and stores it to c:\windows\malware.exe.

Effigy 3: Malicious file downloaded into the C:\windows folder.

Creating persistence

A method of creating persistence on the target motorcar is accomplished past setting a notify equally presented in Figure four below.

Effigy 4: Creating persistence on the target motorcar via BITS.

With this method in place, several groups created persistence, evaded firewalls and detection just using $.25. For instance, many incidents involving Ryuk ransomware operators leveraging custom backdoors and loaders to actively target hospitals and other medical support centers in the past.

Tackling security issues with BITS

BITS is a stiff service and many times used past criminals to bypass firewalls every bit organizations tend to ignore BITS traffic knowing it contains software updates, and because information technology but racket on the network traffic.

One of the advantages of using Bits is the ability to intermission any malicious traffic if the user is using its auto, operating only in downtime periods. With this in listen, we easily learned that the change of human detection is minimal, although the malware can still be detected by proper security solutions when it modifies local registries and other BITS settings or scheduled tasks.

Fireeye worked in this way and released a tool chosen BitsParser. In short, the tool parses BITS databases and returns data well-nigh jobs executed on endpoint systems. After that, the analyst should look through the results and identify whatsoever malicious artifact or even if an abnormal schedule exists.

Figure 5: GitHub page of BitsParser and tool usage.

The results obtained later on running the tool are obvious and follows the format below:

Effigy vi: Report generated afterward running BitsParser tool.

Bits continues to be explored and used by criminals in their malicious activities. For this reason, the $.25 QMGR database provides a useful source of data for consideration during your hunting operations.