Misuse of Microsoft (MSFT) Background Intelligent Transfer Service spotted
In the recent news, Dell SecureWorks researchers have discovered a dangerous technique that misused Microsoft's Background Intelligent Transfer Service (BITS). The researchers came across the method used by the attackers in which maliciously created self-contained BITS tasks failed to appear in the registries of the successfully exploited systems.
Initially, a Windows 7 machine with an academic administration environment was found vulnerable to this attack, which further resulted in several malicious activities. The attack was predominantly aimed at pulling malware from a remote server and then running installation as well as clean-up scripts once the payload was installed.
The official blog post by SecureWorks mentions: “One way to enumerate these tasks is to execute the bitsadmin client from a cmd.exe session with elevated privileges (bitsadmin /list /allusers /verbose).”
However, upon explaining everything, SecureWorks produced the following output: