Stealth Falcon Targets Middle East with Windows BITS Feature
New ESET research reveals that Stealth Falcon, a cyber espionage group targeting political activists and journalists in the Middle East, has changed tactics and is currently using a backdoor relying on Windows Background Intelligent Transfer Service (BITS), instead of the PowerShell-based backdoor used by the group in previous campaigns.
The BITS “notification” feature is used by Windows and other software for application updates. It “was designed to transfer large amounts of data without consuming a lot of network bandwidth,” and is capable of handling basic commands. The researchers note that because BITS is a standard Windows component, “BITS tasks are more likely to be permitted by host-based firewalls.” Stealth Falcon is taking advantage of these features in order to create a persistent backdoor on targeted devices that can be used for exfiltrating sensitive data and other malicious purposes.