Cybercriminals have learned to use a legitimate component of the Windows operating system called Background Intelligent Transfer Service (BITS) to covertly install malware on it.

In 2020, hospitals, medical centers and nursing homes suffered from an ever-changing phishing campaign that spread the KEGTAP backdoor, which opened the way for Ryuk ransomware attacks. FireEye Mandiant recently discovered a previously unknown mechanism that allows KEGTAP to persist using the BITS component.

First introduced in Windows XP, BITS is a background intelligent file transfer service between a client and an HTTP server using idle network bandwidth. BITS is commonly used to deliver operating system updates to clients. In addition, it is used by the Windows Defender Antivirus Scanner to fetch malware signatures updates. In addition to Microsoft products, the service is also used by other applications such as Mozilla Firefox to keep downloading in the background even when browser is closed.

“When malicious applications create BITS jobs, files are downloaded or uploaded in the context of the service host process. This can be useful for evading firewalls that may block malicious or unknown processes, and it helps to obscure which application requested the transfer,” - said FireEye Mandiant.

Ryuk ransomware is loaded on compromised systems, then it uses BITS to create a new job as a System update, configured to launch the mail.exe executable file, which in turn launches the KEGTAP backdoor after attempting to load an invalid URL.

As noted by the researchers, the malicious BITS job was set to attempt an HTTP transfer of a nonexistent file from the local host.

"As this file would never exist, BITS would trigger the error state and launch the notify command, which in this case was KEGTAP," - FireEye explained.

Source: securitylab.ru