Suspicious Download From File-Sharing Website Via Bitsadmin
This threat brief details the detection of adversaries leveraging the legitimate Windows Background Intelligent Transfer Service (BITSAdmin) utility to download malicious payloads from suspicious file-sharing and cloud storage domains, a technique commonly employed by ransomware groups and APTs for ingress tool transfer and stealthy execution.
Adversaries frequently abuse the Windows BITSAdmin utility to download additional tools and payloads, bypassing traditional security controls due to its nature as a legitimate, signed Microsoft binary. This technique allows attackers to perform ingress tool transfer (MITRE ATT&CK T1105) from various file-sharing and cloud storage services like GitHub, Mega.nz, or Discord's CDN, making detection challenging. Observed in campaigns like Mint Sandstorm and by ransomware groups such as Hive, Conti, and AvosLocker, this method enables stealthy delivery of malware. The activity is particularly concerning when bitsadmin.exe initiates downloads from domains typically used for public file hosting, indicating a likely attempt to fetch staged malicious components after initial compromise. Detecting this behavior is crucial for identifying early stages of compromise and preventing further attacker progression.
Attack Chain
- Initial Access: Adversaries gain initial access, often via phishing campaigns delivering malicious documents or exploiting a vulnerable internet-facing service, leading to arbitrary code execution.
- Execution: A command interpreter (e.g.,
cmd.exeorpowershell.exe) is executed with administrative privileges to launch subsequent commands. - Ingress Tool Transfer: The
bitsadmin.exeutility is invoked with parameters like/transfer,/create, or/addfileto initiate a background download. - Staging Payload:
bitsadmin.exedownloads a malicious executable, script, or DLL from a suspicious file-sharing or cloud storage domain (e.g.,dl.dropboxusercontent.com,cdn.discordapp.com,mega.nz) to a temporary or public-facing directory on the compromised system. - Further Execution: The newly downloaded malicious payload is then executed, often via another command or script, to establish persistence or escalate privileges.
- Impact: The execution of the payload leads to the final objective, which commonly includes deploying ransomware, exfiltrating sensitive data, or establishing long-term command and control within the victim's network.
Impact
Successful exploitation of this technique can lead to severe consequences, as it facilitates the delivery of sophisticated malware, including ransomware, backdoors, and credential stealers. Organizations targeted by such attacks, particularly those in critical infrastructure sectors or government, face significant data loss, operational disruption, and financial repercussions. Campaigns like Mint Sandstorm have targeted high-profile individuals at universities and research organizations, indicating a focus on sensitive intellectual property. The use by ransomware groups such as Hive, Conti, and AvosLocker highlights the potential for widespread encryption of systems and extortion demands, resulting in costly recovery efforts and reputational damage for affected entities.
Recommendation
- Deploy the provided Sigma rule to your SIEM and tune for your environment to detect
bitsadmin.exedownloading from suspicious domains. - Monitor
process_creationlogs forbitsadmin.exeexecution and analyze command-line arguments for suspicious URLs. - Review network logs and proxy data for connections originating from
bitsadmin.exeto the IOC domains listed below. - Implement application whitelisting to restrict
bitsadmin.exeusage to only approved scenarios or accounts. - Educate users on phishing awareness, as this technique often follows an initial access gained through social engineering.
Detection coverage 1
Detect Suspicious Download From File-Sharing Website Via Bitsadmin
highDetects usage of the built-in Windows `bitsadmin.exe` utility downloading files from suspicious file-sharing or cloud storage domains, a common technique for ingress tool transfer.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
35
domain
| Type | Value |
|---|---|
| domain | .githubusercontent.com |
| domain | 0x0.st |
| domain | anonfiles.com |
| domain | bashupload.com |
| domain | cdn.discordapp.com |
| domain | chunk.io |
| domain | ddns.net |
| domain | dl.dropboxusercontent.com |
| domain | ghostbin.co |
| domain | github.com |
| domain | glitch.me |
| domain | gofile.io |
| domain | hastebin.com |
| domain | mediafire.com |
| domain | mega.nz |
| domain | onrender.com |
| domain | pages.dev |
| domain | paste.ee |
| domain | pastebin.com |
| domain | pastebin.pl |
| domain | pastetext.net |
| domain | privatlab.com |
| domain | privatlab.net |
| domain | send.exploit.in |
| domain | sendspace.com |
| domain | storage.googleapis.com |
| domain | storjshare.io |
| domain | supabase.co |
| domain | temp.sh |
| domain | transfer.sh |
| domain | trycloudflare.com |
| domain | ufile.io |
| domain | w3spaces.com |
| domain | workers.dev |
| domain | x0.at |