The Windows Update mechanisms through the Windows Background Intelligent Transfer Service (BITS) has been found to deliver the dangerous Stealth Falcon malware. This is the default any of applying updates to the Microsoft Windows operating system. A complex strategy is used to penetrate target networks.
Stealth Falcon Malware Delivered Via Abused Windows Update Mechanism
An experienced hacker collective is actively infecting computer victims by abusing the main way of applying Microsoft Windows updates, this is done by a process called Windows Background Intelligent Transfer Service (BITS), the end goal is to deliver a dangerous threat called Steath Falcon. The complex hacking strategy used by the attackers allows them to hide network traffic that originates from the compromised devices and is directed to the hacker-controlled servers. What is known about the hackers is that they have been active since 2012 and are known for having orchestrated several state-sponsored attacks against dissidents in the United Arab Emirate.
What is distinct about this particular attack is that the masked traffic can easily pass through firewalls and intrusion detection services. The BITS mechanism which is mainly used for delivering Windows Update patches is also used with other applications, Mozilla is also adopting it for their Firefox browser. By default it is whitelisted by networks rules and is trusted as a safe traffic. At the moment the exact mechanism is not known however there are a few possible infiltration tactics:
- Automated Toolkits — By using hacking software and entering in popular exploits the criminals can automate the search for vulnerable hosts. Whenever one of them is encountered it will be infected and the main scripts will deliver the Stealth Falcon malware.
- Phishing Strategies — The criminals can rely on scam e-mail messages and faux websites that pose as being legitimate landing pages.
- Installers & Payload Carriers — A very popular mechanism is to create malicious installers of popular applications which are often used by end users. This is usually done by taking the original installers and modifying them with the malicious code. Payload carriers can be any file that can carry the infection scripts and commands, commonly the hackers rely on documents cross all popular formats: databases, text files, spreadsheets and presentations.
Stealth Falcon Malware Capabilities
As soon as the necessary files are dropped on the target computer the associated Stealth Falcon will start its built-in mechanism. The main virus code is carried in a DLL file which will set itself to automatically start upon user login. It acts as a standard Trojan backdoor being able to hookup to running processes — both system and user application ones. The list of commands that can be executed by the main engine are the following:
- CFG — Update configuration data
- K — Uninstall itself
- RC — Execute the specified application
- DL — Write downloaded data to file
- CF — Prepare a file for exfiltration
- CFW — Exfiltrate and delete files
The Stealth Falcon malware can access, edit and store its own values in the Windows Registry. Any manipulation of existing strings can lead to severe performance issues, errors and data loss. The malware can also scan the system and ind out if there are any security applications and services running. Ones that are found will be bypassed or entirely removed. Exhibiting typical Trojan features the Stealth Falcon malware will also report its progress automatically to a remote hacker-controlled server using a secure connection. This allows the hackers to steal user data, take over control of their systems and also deploy other threats.