The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

BitSloth

Aug 9, 2024 2:44:04 PM / by The Hivemind

BitSlothVerticals Targeted: Government 

Executive Summary

BitSloth is a recently discovered Windows backdoor that uses a built-in feature called Background Intelligent Transfer Service (BITS) for C2.

Key Takeaways

  • BitSloth is a recently discovered Windows backdoor that uses a built-in feature called Background Intelligent Transfer Service (BITS) for C2.
  • The malware was used in an incident that targeted a Foreign Ministry of an unspecified South American nation. 
  • BitSloth is a DLL that is loaded via DLL sideloading using a legitimate and signed FL Studio executable. 
  • BitSloth’s capabilities include but are not limited to running and executing commands, uploading and downloading files, enumeration and discovery, screen capturing, keylogging, and other methods of collecting sensitive data.

What is BitSloth?

BitSloth is a recently discovered Windows backdoor that uses a built-in feature called Background Intelligent Transfer Service (BITS) for C2. Elastic Security Labs recently reported on BitSloth. 

While BitSloth appears to have been in development since late 2021, Elastic Security Labs first observed BitSloth in June 2024. The malware was used in an incident that targeted a Foreign Ministry of an unspecified South American nation. While it is unclear who is behind the malware, it appears to be used to gather data, potentially for espionage purposes. The threat actors used a variety of tools alongside BitSloth, including RingQ, IOX, Stowaway, GodPotato, NoPac, Mimikatz, PPLFault, and Certify.

Elastic Security Labs researchers noted the code contains logging functions and strings that suggest Chinese origin. Additionally, the malware authors used RingQ, which was previously used by a Chinese threat actor. RingQ converts a Windows executable and generates custom shellcode, placing it in a txt file. The shell code is decrypted and executed in-memory. This method is useful for evading detection. 

BitSloth is a DLL that is loaded via DLL sideloading using a legitimate and signed FL Studio executable. BitSloth’s capabilities include but are not limited to running and executing commands, uploading and downloading files, enumeration and discovery, screen capturing, keylogging, and other methods of collecting sensitive data.

A key feature of BitSloth is its use of BITS for C2. While BITS was designed to allow network transfer of files between machines, multiple threat actor groups have abused BITS. This method allows threat actors to remain undetected in victim organizations that do not monitor BITS network traffic. BitSloth also uses a BITS job named Microsoft Windows to maintain persistence. 

IOCs

PolySwarm has multiple samples of BitSloth.

 

Dfb76bcf5a3e29225559ebbdae8bdd24f69262492eca2f99f7a9525628006d88

4fb6dd11e723209d12b2d503a9fcf94d8fed6084aceca390ac0b7e7da1874f50

0944b17a4330e1c97600f62717d6bae7e4a4260604043f2390a14c8d76ef1507

0f9c0d9b77678d7360e492e00a7fa00af9b78331dc926b0747b07299b4e64afd

 

You can use the following CLI command to search for all BitSloth samples in our portal:

$ polyswarm link list -f BitSloth

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Windows, Backdoor, BITS, BitSloth

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts