B.I.T.S Loader Attracting Cybercriminals


The Background Intelligent Transfer Service (BITS) is a legitimate Microsoft program used for creating and monitoring jobs over the network. Since it is a Windows legacy program it isn’t widely detected by AV solutions, making it attractive to cybercriminals for malware delivery and persistence. Recent emails targeting the Financial sector utilize BITS functionality by embedding it in heavily obfuscated Word documents, and with the use of LNK files. Monitoring BITS jobs in work environments is important to identify unwanted or unauthorized downloads and uploads. In the past, BITS was used to deliver banking trojans like DarkComet and GlobeImposter ransomware, and it is assessed with high confidence that it will continue to be utilized for both malware delivery and persistence, particularly against Windows based systems that would otherwise be considered highly locked down or security hardened. This report focuses on these two recent implementations of BITS, and looks at other ways BITS is leveraged in the wild.

Wapack Labs has cataloged and reported on malware targeting the financial sector in the past. An archive of related reporting can be found in the Red Sky Alliance portal.  


This TLP AMBER report is available only to Red Sky Alliance members.

Possible Emerging Threat – Elastic Stack Targeting

On 5 November 2017, Wapack Labs identified potential targeting of the Elastic Stack (FKA ELK), for potential ransomware or extortion. While only two data points exist, this could suggest the beginning of a trend of attacks against Elastic instances. What is Elastic? The Elastic Stack, previously known as ELK, is an open source alternative to commercial aggregation and analysis tools like Splunk. With over 500,000 new downloads per month and 100M to date, Elastic is one of the largest distributions of analysis and visualization tools for high end analytics. Elastic is a plentiful target.

Wapack Labs has cataloged and reported on potential targeting of analysis tools in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


DDoS Attacks and Typo-Squatting of Popular Tor Markets

Wapack Labs observed several popular Tor underground markets suffering concurrent DDoS and typo squatting attacks. On 16 October 2017, only two of the big five illegal drug markets were active, Silk Road 3 and Valhalla. The most popular forums, TradeRoute (AlphaBay replacement), Tochka, and Dream Market were all offline. Wapack Labs believes with medium confidence that hackers are likely typo squatting these forums by phishing those domains. The newer forums, Wall Street Market and RsClub Market, were also offline and being typo squatted.

While the typo squatting and DDoSing of popular onions is historically common, simultaneous occurrence of both these activities is of analytical interest. It is unclear at this reporting who is conducting these attacks, but Wapack Labs believes with medium confidence these actions may be in response to recent international law enforcement takedowns of several similar major dark web markets. Wapack Labs will continue to monitor the Tor network for current and new fraud markets, as these forums directly affect financial fraud.


New Emotet Tactics Employing Embedded URL Links

Emotet is a credential stealing trojan with the ability to drop payloads and move laterally through networks. Emotet spreads by E-mail to addresses gained from the address books of previous victims. In October of 2017, Wapack Labs observed a new Emotet campaign targeting multiple industries. This recent campaign is characterized by changes in Tactics, Techniques, and Procedures (TTPs). These changes include the use of embedded URLs (or links) instead of attachments, and newly adopted obfuscation techniques. Emotet’s ability to spread to compromised email contacts aids in the increase of infections. E-mails propagated in this manner likely have a higher infection rate as they originate from a known contact. This report looks at the new TTPs observed including changes in delivery, obfuscation, and the Visual Basic embedded macros.