Stealth Falcon is a state-sponsored cyber espionage group that since 2012 targets political activists and journalists in the Middle East.

Security researchers from ESET have discovered a new malware associated with Stealth Falcon that abuses a built-in component of the Microsoft Windows operating system in order to communicate with command-and-control servers:

In its communication with the C&C server, Win32/StealthFalcon uses the standard Windows component Background Intelligent Transfer Service (BITS), a rather unusual technique. BITS was designed to transfer large amounts of data without consuming a lot of network bandwidth, which it achieves by sending the data with throttled throughput so as not to affect the bandwidth needs of other applications. It is commonly used by updaters, messengers, and other applications designed to operate in the background.

This means that BITS tasks are more likely to be permitted by host-based firewalls.

Whats is BITS?

According to Microsoft documentation:

Background Intelligent Transfer Service (BITS) is used by programmers and system administrators to download files from or upload files to HTTP web servers and SMB file shares. BITS will take the cost of the transfer into consideration, as well as the network usage so that the user's foreground work has as little impact as possible. BITS also handles network interuptions, pausing and automatically resuming transfers, even after a reboot. BITS includes PowerShell cmdlets for creating and managing transfers as well as the BitsAdmin command-line utility.