Suspicious Bluetooth Service Installation from Uncommon Location
The creation of a Windows service named 'BluetoothService' with a binary path in user-writable directories, such as %AppData%, indicates potential malware persistence, as seen in the Lotus Blossom Chrysalis backdoor campaign.
This threat brief focuses on the anomalous installation of a Windows service named "BluetoothService" from user-writable directories. The Lotus Blossom group used this technique in their Chrysalis backdoor campaign, creating a service that pointed to a malicious binary disguised as the Bitdefender Submission Wizard, located within a hidden AppData directory. This method bypasses standard security measures by mimicking legitimate service installation procedures but placing the malicious service executable in an unexpected location. Legitimate Bluetooth services in Windows are system services with binaries located in System32, making user-directory installations highly suspicious. Monitoring for this activity can help identify potential malware persistence mechanisms. This technique is used for persistence and defense evasion.
Attack Chain
- The attacker gains initial access to the system (potentially through phishing or exploiting a vulnerability).
- The attacker drops a malicious executable, masquerading as a legitimate application (e.g., renaming a binary to resemble a Bitdefender tool).
- The attacker creates a new Windows service named "BluetoothService" (or "Bluetooth Service").
- The "ImagePath" of this service is set to point to the malicious executable located in a user-writable directory (e.g., %AppData%, %ProgramData%, %Temp%, or a user-specific Bluetooth folder).
- The service is configured to start automatically, ensuring persistence across reboots.
- When the system starts, the malicious "BluetoothService" executes the attacker's code.
- The attacker leverages the service to establish a backdoor for remote access and control.
- The attacker performs further malicious activities, such as data exfiltration or lateral movement.
Impact
Successful exploitation allows attackers to establish persistence on the compromised system, enabling them to maintain unauthorized access even after reboots. This can lead to data theft, system compromise, and further propagation of the attack within the network. The Lotus Blossom group has historically targeted organizations in the aerospace, defense, and high-tech sectors, and similar campaigns could result in significant intellectual property loss and reputational damage.
Recommendation
- Monitor Windows Event Log (Event ID 7045) for service creation events, focusing on services named "BluetoothService" or "Bluetooth Service" (data_source).
- Implement the provided Sigma rule to detect the creation of "BluetoothService" with an "ImagePath" pointing to user-writable directories (%AppData%, %ProgramData%, %Temp%, %Users%*\Bluetooth) (rules).
- Investigate any instances of "BluetoothService" being created from unusual locations, comparing the binary against known good software (rules).
- Review and harden endpoint security configurations to prevent unauthorized service creation in user-writable directories (T1543.003).
- Educate users about the risks of running executables from untrusted sources and the dangers of social engineering tactics (T1036).
Detection coverage 2
Detect Bluetooth Service Installed From Uncommon Location
highDetects the creation of a Windows service named 'BluetoothService' with a binary path in user-writable directories, indicating potential malware persistence.
Detect Bluetooth Service Registry Modification
mediumDetects registry modifications related to the 'BluetoothService' service pointing to uncommon locations
Detection queries are available on the platform. Get full rules →