Pierluigi Paganini September 09, 2019

ESET researchers discovered a new malware associated with the Stealth Falcon APT group that abuses the Windows BITS service to stealthy exfiltrate data.

Security researchers discovered a new malware associated with the Stealth Falcon cyber espionage group that abuses the Windows BITS service to stealthy data.

Stealth Falcon is a nation-state actor active since at least 2012, the group targeted political activists and journalists in the Middle East in past campaigns. In 2016, researchers from the non-profit organization CitizenLab published a report that describes a campaign of targeted spyware attacks carried out by the Stealth Falcon.  The attacks have been conducted from 2012 until 2106, against Emirati journalists, activists, and dissidents.

In January 2019, Reuters published a report into Project Raven, a campaign allegedly conducted by former NSA operatives and aiming at the same types of targets as Stealth Falcon.

Based on the two analyses, Amnesty International’s Senior Technologist, Claudio Guarnieri, has concluded that Stealth Falcon and Project Raven actually are the threat actor.

The Windows Background Intelligent Transfer Service (BITS) service is a built-in component of the Microsoft Windows operating system. The BITS service is used by programmers and system administrators to download files from or upload files to HTTP web servers and SMB file shares. 

BITS optimizes the cost of the transfer by leveraging on unused network bandwidth.

The malware analyzed by ESET, dubbed Win32/StealthFalcon, collects data and sends it to its C&C servers using the BITS service.

“The Win32/StealthFalcon backdoor, which appears to have been created in 2015, allows the attacker to control the compromised computer remotely. We have seen a small number of targets in UAE, Saudi Arabia, Thailand, and the Netherlands; in the latter case, the target was a diplomatic mission of a Middle Eastern country.” reads the analysis published by ESET.

The abuse of the BITS mechanism is hard to be detected, its tasks are more likely permitted by host-based firewalls. The transfer resumes automatically after being interrupted for any reason (i.e. a network outage, a system reboot), experts pointed out that BITS adjusts the rate at which files are transferred based on the bandwidth available, this means that network security systems are not able to detect anomalies in the traffic.

“Compared with traditional communication via API functions, the BITS mechanism is exposed through a COM interface and thus harder for a security product to detect. Moreover, this design is reliable and stealthy.” continues the report. “The transfer resumes automatically after being interrupted for reasons like a network outage, the user logging out, or a system rebootMoreover, because BITS adjusts the rate at which files are transferred based on the bandwidth available, the user has no reason for suspicion.”

The malicious code doesn’t store collected data in plain text, the Win32/StealthFalcon collects and prepares them by storing an encrypted copy with a prefix in a temporary folder.

The malware regularly checks for this kind of file and uploads them automatically to the C&C via BITS. Once the data has been, the malware safe-deletes all log files and collected files, and rewrites them with random data before deleting them. In this way, the authors of the malware attempt to prevent forensic analysis and recovery of the deleted data.

The Win32/StealthFalcon backdoor only supports basic commands and could be also used to deploy malicious tools and update its configuration.

The experts attribute the StealthFalcon backdoor to the Stealth Falcon group because it shares its C&C servers and code base with a PowerShell-based backdoor attributed to the state-sponsored hacker group.

“Similarities in the code and infrastructure with a previously known malware by Stealth Falcon drive us to the conclusion that the Win32/StealthFalcon backdoor is also the work of this threat group.” concludes the report.

Pierluigi Paganini

(SecurityAffairs – StealthFalcon backdoor, Stealth Falcon)