Skip to content
Threat Feed
high advisory

Suspicious Download From File-Sharing Website Via Bitsadmin

This threat brief details the detection of adversaries leveraging the legitimate Windows Background Intelligent Transfer Service (BITSAdmin) utility to download malicious payloads from suspicious file-sharing and cloud storage domains, a technique commonly employed by ransomware groups and APTs for ingress tool transfer and stealthy execution.

Adversaries frequently abuse the Windows BITSAdmin utility to download additional tools and payloads, bypassing traditional security controls due to its nature as a legitimate, signed Microsoft binary. This technique allows attackers to perform ingress tool transfer (MITRE ATT&CK T1105) from various file-sharing and cloud storage services like GitHub, Mega.nz, or Discord's CDN, making detection challenging. Observed in campaigns like Mint Sandstorm and by ransomware groups such as Hive, Conti, and AvosLocker, this method enables stealthy delivery of malware. The activity is particularly concerning when bitsadmin.exe initiates downloads from domains typically used for public file hosting, indicating a likely attempt to fetch staged malicious components after initial compromise. Detecting this behavior is crucial for identifying early stages of compromise and preventing further attacker progression.

Attack Chain

  1. Initial Access: Adversaries gain initial access, often via phishing campaigns delivering malicious documents or exploiting a vulnerable internet-facing service, leading to arbitrary code execution.
  2. Execution: A command interpreter (e.g., cmd.exe or powershell.exe) is executed with administrative privileges to launch subsequent commands.
  3. Ingress Tool Transfer: The bitsadmin.exe utility is invoked with parameters like /transfer, /create, or /addfile to initiate a background download.
  4. Staging Payload: bitsadmin.exe downloads a malicious executable, script, or DLL from a suspicious file-sharing or cloud storage domain (e.g., dl.dropboxusercontent.com, cdn.discordapp.com, mega.nz) to a temporary or public-facing directory on the compromised system.
  5. Further Execution: The newly downloaded malicious payload is then executed, often via another command or script, to establish persistence or escalate privileges.
  6. Impact: The execution of the payload leads to the final objective, which commonly includes deploying ransomware, exfiltrating sensitive data, or establishing long-term command and control within the victim's network.

Impact

Successful exploitation of this technique can lead to severe consequences, as it facilitates the delivery of sophisticated malware, including ransomware, backdoors, and credential stealers. Organizations targeted by such attacks, particularly those in critical infrastructure sectors or government, face significant data loss, operational disruption, and financial repercussions. Campaigns like Mint Sandstorm have targeted high-profile individuals at universities and research organizations, indicating a focus on sensitive intellectual property. The use by ransomware groups such as Hive, Conti, and AvosLocker highlights the potential for widespread encryption of systems and extortion demands, resulting in costly recovery efforts and reputational damage for affected entities.

Recommendation

  • Deploy the provided Sigma rule to your SIEM and tune for your environment to detect bitsadmin.exe downloading from suspicious domains.
  • Monitor process_creation logs for bitsadmin.exe execution and analyze command-line arguments for suspicious URLs.
  • Review network logs and proxy data for connections originating from bitsadmin.exe to the IOC domains listed below.
  • Implement application whitelisting to restrict bitsadmin.exe usage to only approved scenarios or accounts.
  • Educate users on phishing awareness, as this technique often follows an initial access gained through social engineering.

Detection coverage 1

Detect Suspicious Download From File-Sharing Website Via Bitsadmin

high

Detects usage of the built-in Windows `bitsadmin.exe` utility downloading files from suspicious file-sharing or cloud storage domains, a common technique for ingress tool transfer.

sigma tactics: command_and_control, execution, persistence, s0190 techniques: T1059, T1105, T1197 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →

Indicators of compromise

35

domain

TypeValue
domain.githubusercontent.com
domain0x0.st
domainanonfiles.com
domainbashupload.com
domaincdn.discordapp.com
domainchunk.io
domainddns.net
domaindl.dropboxusercontent.com
domainghostbin.co
domaingithub.com
domainglitch.me
domaingofile.io
domainhastebin.com
domainmediafire.com
domainmega.nz
domainonrender.com
domainpages.dev
domainpaste.ee
domainpastebin.com
domainpastebin.pl
domainpastetext.net
domainprivatlab.com
domainprivatlab.net
domainsend.exploit.in
domainsendspace.com
domainstorage.googleapis.com
domainstorjshare.io
domainsupabase.co
domaintemp.sh
domaintransfer.sh
domaintrycloudflare.com
domainufile.io
domainw3spaces.com
domainworkers.dev
domainx0.at