StealthFalcon malware spread through the Windows update mechanism

By using the Windows update delivery system, the malicious traffic of this trojan can evade firewalls

Trojan

Windows Background Intelligent Transfer Service (BITS) is being exploited again, with a malware strain is using it to spread between computers.

Windows BITS is the default mechanism the operating system (OS) uses to send Windows updates to systems all over the world, and attackers are now using it to hide traffic to and from their command and control (C&C) server, sent by the backdoor.

Advertisement - Article continues below

Slovakian cyber security outfit ESET discovered the trojan and named it Win32/StealthFalcon, eponymic of the group to which it's attributed.

The StealthFalcon group has been around since 2012, according to the limited reports there are on the organisation, and is believed to be a state-sponsored group which originally targeted United Arab Emirates (UAE) dissidents.

Instead of sending HTTP or HTTPS traffic back to the C&C server, the trojan masks this traffic by routing it through BITS, a method the researchers believe will more easily evade firewalls.

This is because BITS isn't just used for Windows updates, other programs use it to distribute their own updates and even Mozilla is working on pushing Firefox's improvements through BITS.

Because BITS is known by firewalls to carry traffic from legitimate sources, such as necessary updates, it often doesn't search it when scanning for cyber threats, making it a perfect fit to carry malicious code.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The researchers said the method of the trojan's delivery was "beyond the scope of this investigation" but targets have been observed in UAE Saudi Arabia, Thailand and the Netherlands.

Links have been made between StealthFalcon and Project Raven, two groups previously thought to be independent of one another, after pieces from reports such as their file naming structure were found to be too similar to be different parties.

Amnesty International's Senior Technologist, Claudio Guarnieri, has concluded that Stealth Falcon and Project Raven actually are the same group.

Details of Project Raven were unearthed in a January Reuters investigation which allegedly found evidence that former NSA experts were helping UAE authorities track and hack dissidents, journalists and human rights activists.

Although leveraging BITS to hide malicious traffic is an unusual method, it has certainly been done before. Chinese state-sponsored hacking groups Periscope and Tropic Trooper are both believed to have launched similar attacks.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement

Recommended

Visit/security/30081/what-is-a-trojan-virus
Security

What is a Trojan?

14 Aug 2019
Visit/security/malware/355093/evasive-malware-threats-are-surging
malware

Evasive malware threats doubled in 2019

24 Mar 2020
Visit/security/355013/10-quick-tips-to-identifying-phishing-emails
Security

10 quick tips to identifying phishing emails

16 Mar 2020
Visit/business-strategy/mergers-and-acquisitions/354941/panda-security-to-be-acquired-by-watchguard
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020

Most Popular

Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/cloud/355098/ibm-dedicates-supercomputing-power-to-coronavirus-researchers
high-performance computing (HPC)

IBM dedicates supercomputing power to coronavirus research

24 Mar 2020