Windows machines are being targeted by the new BITSLOTH backdoor, which facilitates command-and-control via the Background Intelligent Transfer Service to better evade detection, according to The Hacker News.
The newly identified malware strain has been codenamed BITSLOTH by Elastic Security Labs, which discovered its use on June 25, 2024 after it was deployed in an attack against a South American government's foreign ministry. The activity cluster is being tracked under the moniker REF8747.
The latest iteration of BITSLOTH — which is believed to have been actively developed since December 2021 — has been integrated with 35 handler functions, as well as other enumeration, command-line execution, and discovery capabilities, an analysis from Elastic Security Labs showed.
Aside from enabling screen capturing, keylogging, file uploading and downloading and command execution, BITSLOTH also allows persistence removal or reconfiguration, system reboots or shutdowns, communication mode changes, arbitrary process termination and self-updating or deletion from the host, said researchers, who also linked the backdoor to Chinese speakers due to its logging functions and strings, as well as its utilization of the open-source tool RingQ that had been leveraged by a Chinese threat actor.
