Light Dark
September 10, 2019 By Shane Schick 2 min read

Security researchers discovered threat actors using an undocumented backdoor dubbed Win32/StealthFalcon to exfiltrate data to remote servers and run code on infected hosts.

According to the report from ESET, Win32/StealthFalcon is likely the work of a state-sponsored threat group that has previously been identified by several names, including Stealth Falcon and Project Raven. Win32/StealthFalcon may have been developed back in 2015 and has already been used in malware attacks against users in Thailand, Saudi Arabia, the United Arab Emirates (UAE) and the Netherlands. The undocumented backdoor bears similarities to another one the group wrote in PowerShell.

Breaking In Through BITS

Win32/StealthFalcon is notable in the way it abuses a standard component in Microsoft Windows: the Background Intelligent Transfer Service (BITS).

Best known as a mechanism for software vendors to provide automatic updates while a machine is not using its network connection, researchers believe Win32/StealthFalcon hid command-and-control (C&C) traffic within BITS. That not only allowed its malware to bypass firewalls, but may have duped security teams that would not have suspected such traffic as being malicious.

The group used a hardcoded key with RC4 to encrypt network communication from the compromised host and campaignID/target ID as a host identifier. This was the same approach StealthFalcon took with the backdoor it had created in PowerShell, which researchers said had very similar code to Win32/StealthFalcon.

Besides offering hackers an alternative to communicating with a C&C server using HTTP or HTTPS requests, researchers said BITS has the advantage of working during downtime periods and is harder to detect with security tools because it is exposed through a COM interface. Depending on what kind of bandwidth is needed to transfer files, BITS can also adjust the rate at which it works, making any unauthorized activity less noticeable.

How to Close an Undocumented Backdoor Like Win32/StealthFalcon

While an undocumented backdoor like Win32/StealthFalcon is deliberately harder to spot, IBM experts suggest organizations stand a better chance of detecting and responding to security threats by analyzing network flow data. This reduces false positives, offers greater visibility than log data and cannot be tampered with by cybercriminals.

Meanwhile, since humans might not always pay attention to unusual BITS activity, intrusion detection and prevention tools can offer a more automated and reliable way to identify groups such as Stealth Falcon as early as possible.

 |  |  |  |  | 
Shane Schick
Writer & Editor

More from

May 13, 2024

Debate rages over DMCA Section 1201 exemption for generative AI

2 min read - The Digital Millennium Copyright Act (DMCA) is a federal law that protects copyright holders from online theft. The DMCA covers music, movies, text and anything else under copyright.The DMCA also makes it illegal to hack technologies that copyright owners use to protect their works against infringement. These technologies can include encryption, password protection or other measures. These provisions are commonly referred to as the “Anti-Circumvention” provisions or “Section 1201”.Now, a fierce debate is brewing over whether to allow independent hackers…

May 10, 2024

CISA Malware Next-Gen Analysis now available to public sector

2 min read - One of the main goals of the Cybersecurity and Infrastructure Security Agency (CISA) is to promote security collaboration across the public and private sectors. CISA firmly believes that partnerships and effective coordination are essential to maintaining critical infrastructure security and cyber resilience.In faithfulness to this mission, CISA is now offering the Malware Next-Generation Analysis program to businesses and other organizations. This service has been available to government and military workers since November 2023 but is now available to the private…

May 9, 2024

Social engineering in the era of generative AI: Predictions for 2024

5 min read - Breakthroughs in large language models (LLMs) are driving an arms race between cybersecurity and social engineering scammers. Here’s how it’s set to play out in 2024.For businesses, generative AI is both a curse and an opportunity. As enterprises race to adopt the technology, they also take on a whole new layer of cyber risk. The constant fear of missing out isn’t helping either. But it’s not just AI models themselves that cyber criminals are targeting. In a time when fakery…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature