Researchers uncover new strain of malware abusing Windows Background Intelligent Transfer Service

• The malware shares strong similarities with the Win32/StealthFalcon backdoor created by Stealth Falcon threat actors.
• Both Win32/StealthFalcon and the unnamed PowerShell-based backdoor share the same C2 server.

Researchers have shared new details about a PowerShell-based backdoor used by the Project Raven threat actor group. They have found that the malware shares strong similarities with the Win32/StealthFalcon backdoor created by Stealth Falcon threat actors.

What are the new findings?

According to the latest findings from ESET, the undocumented malware appears to be the work of a state-sponsored cyber-espionage group Project Raven that has been working under the name of Stealth Falcon. Both Win32/StealthFalcon and the unnamed PowerShell-based backdoor share the same C2 server. In addition, both the malware have been found displaying significant similarities in code, although they are written in different languages.

“Both use hardcoded identifiers (most probably campaign ID/target ID). In both cases, all network communication from the compromised host is prefixed with these identifiers and encrypted with RC4 using a hardcoded key,” added researchers.

According to the Citizen Lab report, the Stealth Falcon group has been in operation since 2012. It was seen targeting United Arab Emirates residents.

About Win32/StealthFalcon

The Win32/StealthFaclon, which appears to have been created in 2015, can allow attackers to control the compromised computer remotely. The malware has targeted users in the UAE, Saudi Arabia, Thailand, and the Netherlands.

During its communication with the C2 server, the malware uses the standard Windows component Background Intelligent Transfer Service (BITS) to transfer a large amount of data.

BITS includes commendable capabilities that make it popular over the traditional communication via API functions.

“BITS was designed to transfer large amounts of data without consuming a lot of network bandwidth, which it achieves by sending the data with throttled throughput so as not to affect the bandwidth needs of other applications. It is commonly used by updaters, messengers, and other applications designed to operate in the background,” researchers explained.

What are the capabilities?

Win32/StealthFalcon, if executed on a victim’s machine, is capable of scheduling itself as a task is running on each user login. Besides this, it can also exfiltrate data, employ other malicious tools and update its configuration.