Villains used Windows Background ITS for Ryuk attacks

Attackers use Windows Background Intelligent Transfer Service (BITS) to implement malicious payloads on Windows computers. Of course, they do this stealthily.

A recent research proves that attackers use an unknown persistence mechanism which shows they used BITS to launch the backdoor.

Windows Background ITS – a tool for attackers

An ever-shifting phishing campaign hit hospitals and medical centres, last year. Thus, the attackers distributed a custom backdoor, which opened the way for RYUK ransomware attacks.

FireEye revealed the new mechanism which takes advantage of the BITS. In fact, BITS came to users starting Windows XP. It’s a component which uses the inactive network bandwidth.

So, it facilitates the transfer of files between computers. In order to do this, BITS creates a container with the files.

Its creators came with BITS to deliver updates for the OS and also to fetch malware signature updates. But some other apps also use it, such as Mozilla Firefox. Thus, they allow downloads to continue, even though the browser is closed.

How hackers worked?

According to FireEye, “when malicious applications create BITS jobs, files are downloaded and/or uploaded in the context of the service host process.” So, hackers use this technique to evade firewalls that might block processes.

Also, “it helped them obscure which application requested the transfer.” Thus, Ryuk infections managed to make such jobs like “system update” in order to launch executable files. These triggered the backdoor after they trying to download an invalid URL.

“Researchers mentioned that “The malicious BITS job was set to attempt an HTTP transfer of a nonexistent file from the localhost.” Because the file does not exist, BITS launches a notify command, which is the backdoor.

In order to help with the incident response, researchers came with BitsParser, a Python utility which extracts job and file for further analysis.