TLDR:
The newly discovered Windows backdoor BITSLOTH exploits BITS as a C2 mechanism, with key features including keylogging and screen capture capabilities. The malware is assessed to be used for data gathering and features code that suggests Chinese-speaking authors. The malware is loaded using DLL side-loading techniques by a legitimate executable from Image-Line.
Summary:
Cybersecurity researchers have uncovered a new Windows backdoor named BITSLOTH that utilizes BITS as a command-and-control mechanism. This malware, identified by Elastic Security Labs during an attack on a South American government ministry, includes keylogging and screen capture functionalities among its 35 handler functions. The malware, in development since December 2021, seems to be focused on data gathering purposes, although the threat actors behind it are not currently clear.
A source code analysis suggests that the authors may be Chinese speakers, with potential ties to China through the use of an open-source tool called RingQ to encrypt the malware and prevent detection. The malware also utilizes STOWAWAY and iox for encrypted C2 traffic and port forwarding, similar to techniques used by Chinese cyber espionage groups in the past.
BITSLOTH takes the form of a DLL file and is loaded using a DLL side-loading technique through a legitimate executable associated with Image-Line called FL Studio. Its capabilities include running commands, uploading and downloading files, performing enumeration and discovery, and collecting sensitive data through keylogging and screen capturing. The malware can communicate via HTTP or HTTPS and can carry out various actions such as removing persistence, terminating processes, logging users off, and updating or deleting itself from the host.
A notable aspect of BITSLOTH is its use of BITS for communication, making it challenging for organizations to detect unusual BITS network traffic. The malware is a fully-featured backdoor with advanced capabilities, making it a significant threat to Windows systems.