Malware authors are constantly trying to design new ways to sneak their malware past security appliances. Stealth is a high priority for malicious software because, in many cases, detection of malware on a system means that it is no longer usable. Once a piece of malware is detected, security researchers generate a signature that is used to uniquely identify it and push this signature out to security products like antiviruses. If during a scan, an antivirus finds a file that matches one of its signatures, that file is quarantined or deleted.
One area where malware authors work very hard to be stealthy is in a malware sample’s network traffic. Most cyberattacks work over the network both in the delivery of the malware to a target machine and any communication between the malware and its owner after infection. Organizations take advantage of this to scale their protections since a single network security appliance can monitor and protect the entire network.
A new malware sample, called Stealth Falcon, takes a new approach to evade detection on the network. It uses the BITS protocol on Windows machines, which is commonly enabled and allowed to pass through organizations’ firewalls. The protocol is ideally suited for exfiltrating data and demonstrates the need for a good Data Leakage Prevention (DLP) tool to identify and shut down this unusual data exfiltration pathway.
Table of Contents
What is the BITS Protocol?
The Stealth Falcon malware is designed to be stealthy in a number of different ways. However, the unique feature of it is the use of the BITS protocol for data exfiltration.
The Background Intelligent Transfer Service (BITS) protocol was designed by Microsoft to allow uploads and downloads of large files without impacting a user’s network connection speeds. This protocol is commonly used for downloading software updates, so many organizations allow it to pass through their firewall. The terms “background” and “intelligent” in the BITS protocol name refer to the fact that it does its best to minimize its impact on the user’s experience on the computer. BITS identifies when a computer has unused network bandwidth and uses this bandwidth for the download. Downloads can be throttled (made to run very slowly) and performed asynchronously (starting and stopping rather than flowing continuously). As a result, the BITS protocol is very discreet, which makes it difficult to identify when it is running on a network.
The Stealth Falcon Malware –
The discreetness of the BITS protocol’s communications makes it ideal for malware trying to keep its command and control (C2) communications under the radar. Additionally, since BITS is unlikely to be blocked at the firewall and is used by multiple different software vendors for updates, most organizations are unlikely to be suspicious of it downloading and uploading data to unusual domains.
Recently, the Stealth Falcon malware has been discovered to be using BITS for its data exfiltration and C2 communications. The asynchronous nature of the BITS protocol ensures that a security appliance only monitoring for spikes in the volume of traffic, a common indicator of attempted data exfiltration, will miss the communications. Stealth Falcon takes extra care to hide its communications by making an encrypted copy of the file before transmission and deleting log files and the encrypted copies of files once the communication is completed. Since BITS uploads/downloads have the ability to persist across reboots and user logouts, the malware’s C2 protocol is both stealthy and robust.
The Stealth Falcon malware gets its name from an expected association with the Stealth Falcon hacking group. Some of the servers used for the malware’s command and control communications have also been used by other malware variants created by this group. While Stealth Falcon’s use of BITS appears to be relatively new, the hacking group has been operating since at least 2012, and the malware was likely created in 2015.
Detecting Data Exfiltration –
The Stealth Falcon malware demonstrates the lengths that hackers are willing to go to in order to conceal their operations and continue to operate. Advanced Persistent Threats (APTs) like the Stealth Falcon group, it is better to remain unnoticed and steal data over a long period of time rather than perform flashy attacks for notoriety.
The use of the BITS protocol was an inspired choice for this malware. The protocol is essentially designed to conceal communications from the user (to minimize performance impacts), is widely used and trusted, and operates using a COM interface, making it harder for security appliances to monitor.
The use of BITS for data exfiltration demonstrates that an effort to simply monitor an organization’s network traffic for anomalies is not sufficient to protect its sensitive information. BITS flies under the radar, and organizations will need to catch the attempted theft earlier in the process in order to identify this and other types of stealthy attacks.
In order to exfiltrate sensitive data, an attacker first needs to have access to it. Sensitive information is often stored in hardened databases with little or no access to the Internet. Hackers commonly copy repositories of sensitive data to another machine for exfiltration or may make encrypted copies like the Stealth Falcon malware does prior to exfiltration.
By actively searching for and identifying repositories of sensitive data and monitoring access to them, an organization can identify anomalous behavior that may be indicative of an attack. The Stealth Falcon malware demonstrates the importance and value of deploying a strong data security solution in the enterprise.