Warning over Win32/StealthFalcon malware that uses Windows update system to steal data

The BITS system is used by Microsoft to send Windows updates to its users and is generally ignored by firewalls

Security researchers have discovered a new malware strain, which uses Microsoft Windows Background Intelligent Transfer Service (BITS) to quietly transfer stolen data to attacker-controlled server.

The malware is linked with the cyber espionage group Stealth Falcon, according to the researchers from Slovakia-based cyber security firm ESET, who first spotted the new malware strain targeting a small number of systems in the United Arab Emirates (UAE), Saudi Arabia, Thailand, and the Netherlands.

Stealth Falcon is an advanced persistent threat (APT) group which has been active since 2012 and is known for targeting dissidents and activists in the Middle East region, specifically in the UAE. The first report on Stealth Falcon was published by non-profit organisation Citizen Lab in 2016. At that time, Citizen Lab revealed that the group used a highly secretive backdoor written in PowerShell to infiltrate its targets' machines.

The new malware strain discovered by ESET researchers has been named Win32/StealthFalcon. According to ESET, this tool is more advanced than the previous one used by Stealth Falcon group and can use the Windows BITS system to communicate with its command-and-control (C&C) servers.

BITS is used by Microsoft to send Windows updates to its users worldwide. The service utilises unused network bandwidth to enable asynchronous and prioritised transfer of files between machines, without affecting the network experience for users.

BITS is commonly used to download files from the Microsoft servers to install Windows 10 updates. It is also used by many other apps to download their own updates.

Because BITS traffic is usually ignored by host-based firewalls, it allows Win32/StealthFalcon malware to quietly hide itself in the system and to continue its operation in the background.

According to researchers, Win32/StealthFalcon backdoor allows attackers to take control of compromised computer remotely. It works as a basic backdoor and enables its operators to download and execute more malicious programmes on infected hosts.

"Win32/StealthFalcon can switch the communication between two C&C servers whose addresses are stored in a registry key, along with other configuration values, and can be updated by one of the backdoor commands," the ESET researchers wrote in an online post.

"In case the backdoor fails to reach out to its C&C servers, the backdoor removes itself from the compromised system after a preconfigured number of failed attempts."

ESET researchers found that the Win32/StealthFalcon backdoor and its predecessor PowerShell backdoor used the same C&C server domains. Both tools also demonstrate many similarities in their code, although they are written in different languages.

This is not the first instance of a cyber-espionage group abusing the BITS service to operate.

Two Chinese hacking groups known as Tropic Trooper (Key Boy) and TEMP.Periscope have been reported earlier using BITs to target computers.

Last year, researchers at Kaspersky also revealed about FruityArmor APT, a cyber-espionage gang based in the Middle East, using BITS to enable their malware communicate with C2 servers.