Hackers now bypass firewalls using a legitimate component of the Windows operating system called Background Intelligent Transfer Service (BITS), installing malware into it.
In 2020, hospitals, medical centres and nursing homes suffered from an ever-changing phishing campaign that spread the KEGTAP backdoor, which opened the way for Ryuk ransomware attacks.
FireEye Mandiant recently discovered a previously unknown mechanism that allows KEGTAP to persist using the BITS component.
First introduced in Windows XP, BITS is a background intelligent file transfer service between a client and an HTTP server that consumes unused portions of network bandwidth. BITS is commonly used to deliver operating system updates to clients.
In addition, it is used by the Windows Defender Antivirus Scanner to obtain updates to malware signatures. In addition to Microsoft’s own products, the service is also used by other applications such as Mozilla Firefox to keep downloading in the background even when the browser is closed.
BITS transfers can also be scheduled, allowing them to happen at specific times without relying on lengthy processes or a task scheduler.
Already compromised systems are loaded with Ryuk ransomware that uses BITS to create a new job as a System update configured to run the mail.exe executable, which in turn launches the KEGTAP backdoor after attempting to load an invalid URL.
As noted by the researchers, the malicious BITS job was configured to send a non-existent file from the local host over HTTP.
Let me remind you that I also talked about the fact that Google Project Zero discovered a 0-day vulnerability in the Windows kernel.