Stealth Falcon’s undocumented backdoor uses Windows BITS to exfiltrate data

September 9, 2019  By Pierluigi Paganini


ESET researchers discovered a new malware associated with the Stealth Falcon APT group that abuses the Windows BITS service to stealthy exfiltrate data.

Security researchers from discovered a new malware associated with the Stealth Falcon cyber espionage group that abuses the Windows BITS service to stealthy exfiltrate data.

Stealth Falcon is a nation-state actor active since at least 2012, the group targeted political activists and journalists in the Middle East in past campaigns. In 2016, researchers from non-profit organization CitizenLab published a report that describes a campaign of targeted spyware attacks carried by the Stealth Falcon.  The attacks have been conducted from 2012 until 2106, against Emirati journalists, activists, and dissidents.

In January of 2019, Reuters published a report into Project Raven, a campaign allegedly conducted by former NSA operatives and aiming at the same types of targets as Stealth Falcon.

Based on the two analysis, Amnesty International’s Senior Technologist, Claudio Guarnieri, has concluded that Stealth Falcon and Project Raven actually are the threat actor.

The Windows Background Intelligent Transfer Service (BITS) service is a built-in component of the Microsoft Windows operating system. The BITS service is used by programmers and system administrators to download files from or upload files to HTTP web servers and SMB file shares. 

BITS optimizes the cost of the transfer leveraging on unused network bandwidth.

The malware analyzed by ESET, dubbed Win32/StealthFalcon, collect data and send to its C&C servers using the BITS service.

“The Win32/StealthFalcon backdoor, which appears to have been created in 2015, allows the attacker to control the compromised computer remotely. We have seen a small number of targets in UAE, Saudi Arabia, Thailand, and the Netherlands; in the latter case, the target was a diplomatic mission of a Middle Eastern country.” reads the analysis published by ESET.

The abuse of the BITS mechanism is hard to be detected, its tasks are more likely permitted by host-based firewalls. The transfer resumes automatically after being interrupted for any reason (i.e. a network outage, a system reboot), experts pointed out that BITS adjusts the rate at which files are transferred based on the bandwidth available, this means that network security systems are not able to detect anomalies in the traffic.

“Compared with traditional communication via API functions, the BITS mechanism is exposed through a COM interface and thus harder for a security product to detect. Moreover, this design is reliable and stealthy.” continues the report. “The transfer resumes automatically after being interrupted for reasons like a network outage, the user logging out, or a system rebootMoreover, because BITS adjusts the rate at which files are transferred based on the bandwidth available, the user has no reason for suspicion.”

The malicious code doesn’t exfiltrate the collected data in plain text, the Win32/StealthFalcon collects files and prepares them for exfiltration by storing an encrypted copy with a hardcoded prefix in a temporary folder.

The malware regularly checks for this kind of files and upload them automatically to the C&C via BITS. Once the data has been exfiltrated, the malware safe-deletes all log files and collected files, and rewrites them with random data before deleting them. In this way, the authors of the malware attempt to prevent forensic analysis and recovery of the deleted data.

The Win32/StealthFalcon backdoor only supports basic commands and could be also used to deploy malicious tools and update its configuration.

The experts attribute the StealthFalcon backdoor to Stealth Falcon group bacause it shares its C&C servers and code base with a PowerShell-based backdoor attributed to the state-sponsored hacker group.

“Similarities in the code and infrastructure with a previously known malware by Stealth Falcon drive us to the conclusion that the Win32/StealthFalcon backdoor is also the work of this threat group.” concludes the report.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – StealthFalcon backdoor, Stealth Falcon)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Telegram Privacy Fails Again

 Security expert discovered that busing a well-known feature of deleting messages it is possible to threate the users' privacy....