StealthFalcon Backdoor Communicates with C&C Servers Using Windows BITS

Delaware, USA – September 10, 2019 – State-sponsored group Stealth Falcon is known for targeted attacks on journalists and political activists with sophisticated malware. The group has been active since 2012, and researchers associate its activities with Project Raven campaign conducted by former NSA employees. ESET discovered another tool of the group that has been used since 2015 against victims in the Middle East, the Netherlands, and Thailand. StealthFalcon backdoor was used only in highly targeted attacks, and complete with a rare communication mechanism, that allowed it to remain undetected for a long time. Backdoor is designed to download and run additional malware, as well as discreetly extract the collected data exploiting Windows Background Intelligent Transfer Service. BITS is usually used to automatically download updates when the victim is not using the network connection, its mechanism is exposed through a COM interface, and firewalls often ignore such traffic. StealthFalcon contacts one of two C&C servers, information about which is stored in the Windows registry and can be changed by a specific command. If the servers are unavailable for a while, the backdoor removes itself and traces of its spy activity. Persistence is ensured by a scheduled task that loads a malicious DLL every time the system boots.

This malware is significantly different from the PowerShell backdoor previously used by the Stealth Falcon group, but researchers have found enough evidence to attribute it. One of the C&C servers was used by both backdoors for communications, and both tools have almost identical logic. Windows BITS abusing is rarely used by threat actors, but this technique is extremely difficult to counter. You can detect the presence of such malware by spotting the traces it leaves in the system.
Rule digest for ‘Scheduled Task’ technique –