BITS Transfer Job Downloads from File Sharing Domains
Adversaries leverage the Windows Background Intelligent Transfer Service (BITS) to download malicious payloads from legitimate file-sharing and cloud storage domains, enabling stealthy ingress of tools and malware onto compromised systems, a technique observed in campaigns by ransomware groups and nation-state actors.
The Windows Background Intelligent Transfer Service (BITS) is a legitimate component of the operating system designed for asynchronous, prioritized, and throttled transfer of files between machines. Threat actors frequently abuse BITS to download additional malicious tools, payloads, or command and control (C2) configurations onto compromised systems. This technique allows them to blend in with legitimate network traffic, as BITS often utilizes standard HTTP/HTTPS protocols and can bypass some traditional network defenses. The observed activity involves BITS transfer jobs specifically downloading files from popular, legitimate file-sharing or cloud storage domains, such as githubusercontent.com, cdn.discordapp.com, mega.nz, and storage.googleapis.com. This approach provides attackers with a relatively trusted channel to stage and retrieve their malicious assets, making detection more challenging. The technique has been observed in campaigns by ransomware groups like Hive, Conti, and AvosLocker, as well as nation-state actors like Mint Sandstorm targeting high-profile individuals.
Attack Chain
- An adversary gains initial execution on a target system through various means (e.g., exploiting a vulnerability, phishing).
- To avoid detection and ensure reliable payload delivery, the attacker decides to use a trusted Windows service for ingress.
- The attacker programmatically (e.g., via PowerShell or a custom tool) or through
bitsadmin.execreates a new BITS transfer job. - The BITS job is configured to download a malicious executable or script from a URL hosted on a legitimate, but abused, file-sharing or cloud storage service (e.g.,
anonfiles.com,mega.nz). - The attacker initiates or schedules the BITS job, allowing the download to proceed in the background, resilient to network interruptions.
- The BITS client successfully transfers the malicious file to a local staging directory on the compromised host. This activity generates a BITS Client Event ID 16403.
- The attacker then executes the newly downloaded payload, which could be anything from a backdoor, ransomware, or additional reconnaissance tools.
- This leads to further compromise, such as data exfiltration, lateral movement, or the deployment of ransomware, achieving the attacker's final objective.
Impact
Successful exploitation using BITS for ingress typically results in the stealthy delivery and execution of secondary payloads. This can range from installing persistent backdoors for long-term access, deploying ransomware to encrypt critical data and extort payment, to exfiltrating sensitive information. The use of legitimate file-sharing services and BITS makes it harder for security teams to differentiate malicious activity from benign operations, leading to delayed detection and containment. Campaigns leveraging this technique have impacted various sectors, including universities and research organizations, indicating a broad targeting scope. The ultimate damage depends on the nature of the delivered payload, but it often includes financial loss, reputational damage, and operational disruption.
Recommendation
- Deploy the provided Sigma rule "BITS Transfer Job Download From File Sharing Domains" to detect suspicious BITS activity targeting common file-sharing domains.
- Ensure BITS client operational logs (Event ID 16403) are enabled and collected in your SIEM for comprehensive monitoring of file transfers.
- Review network egress policies to restrict direct access to known file-sharing and cloud storage services from non-essential endpoints, where feasible, to mitigate the risk of BITS abuse.
- Implement application whitelisting to prevent the execution of unauthorized payloads downloaded via BITS or any other method, thereby limiting the impact of successful ingress.
Detection coverage 1
BITS Transfer Job Download From File Sharing Domains
highDetects BITS transfer job downloading files from legitimate file-sharing or cloud storage domains, a common technique for stealthy ingress of malicious payloads.
Detection queries are available on the platform. Get full rules →