Windows BITS misused by hackers for data transfer to a remote server

Stealth Falcon hacker group is responsible for the distribution of Win32/StealthFalcon malware

Stealth Falcon appears to be the one behind the recent Win32/StealthFalcon malware attacks

Reports related to a malware strain that is capable of misusing Windows BITS have already reached the surface throughout various Internet-based news sources. According to experts' reports, this dangerous malware form misuses a legitimate windows service to secretly transfer illegally collected information to a remote server that is held by the hackers.

Besides, this malware string has the name of Win32/StealthFalcon which is given to the virus due to its creators that are known as Stealth Falcon group. This hacker group has been active for 7 years now and is already known for attacking worldwide people in the UAE by delivering spyware to their machine systems.^[1] However, the new cyber threat appears to have already been developed in 2015.

Nevertheless, this new malware includes the same database and remote servers on which a malicious backdoor virus is also kept installed. The other virus appears to operate via PowerShell commands and is also linked to the Stealth Falcon group.^[2]

The new malware strain misuses the Windows BITS service for remote data transferring

Now the hacker group has created a new malware strain that misuses the BITS service, also known as Windows Background Intelligent Transfer Service. According to our discovered sources, the BITS service is commonly used by Windows XP and other newer operating systems. Researchers describe the program like this:^[3]

Background Intelligent Transfer Service (BITS) is a component of Microsoft Windows XP and later iterations of the operating systems, which facilitates asynchronous, prioritized, and throttled transfer of files between machines using idle network bandwidth. It is most commonly used by recent versions of Windows Update, Microsoft Update, Windows Server Update Services, and System Center Configuration Manager to deliver software updates to clients, Microsoft's anti-virus scanner Microsoft Security Essentials (a later version of Windows Defender) to fetch signature updates, and is also used by Microsoft's instant messaging products to transfer files.

Due to the fact that the Background Intelligent Transfer Service operates through a COM, malware can easily reach the targeted computer system and begin its operation process. This is how Win32/StealthFalcon ends up on the machine unnoticed.

Win32/StealthFalcon is also capable of injecting other harmful products onto the targeted system

Once the malicious strain is put on the system, the cyber threat begins gathering sensitive data that is located on the machine. All files and documents are encrypted and transferred in a copy to a remote server controlled by the hackers.^[4] After that, the gathered information is deleted from the machine where it has been found. Bad actors do this to prevent data recovery of lost files.

Sadly, this is not all that the virus can bring to the infected computer, other activities might also be promoted by Win32/StealthFalcon. According to technology experts, the malware is a DLL component that might inject other dangerous tools to the system and carry out illegal actions with the harmful software:^[5]

Win32/StealthFalcon is a DLL file which, after execution, schedules itself as a task running on each user login. It only supports basic commands but displays a systematic approach to data collection, data exfiltration, employing further malicious tools, and updating its configuration.