A notorious Chinese hacker group has deployed a sophisticated shellcode dubbed BendyBear in its latest round of espionage, security firm Palo Alto Networks reports.
This was indeed a “bear” of a file. Over 10,000 bytes of highly sophisticated code. Unit 42 researchers from Palo Alto Networks who analyzed it say behavior and features strongly indicate the code is from the WaterBear malware family, which has been active since 2009. Experts also say the malware is associated with BlackTech, a cyberespionage group with known ties to the Chinese government.
Analysis by Trend Micro and TeamT5 determined WaterBear is a stage-two implant and a stage-zero downloader capable of shell access, file transfers, screen capture, and much more.
“One of the most sophisticated, well-engineered, and difficult-to-detect malicious shellcodes employed by an Advanced Persistent Threat” (typically a nation-state or state-sponsored group), this novel Chinese malware was dubbed “BendyBear.”
Connections to a malicious C2 domain discovered by Taiwan’s Ministry of Justice Investigation Bureau in August 2020 helped to identify the malware.
BendyBear is an x64 shellcode capable of injecting a stage-zero implant whose sole function is to download a more robust implant by using a command and control server (C2 server).
BendyBear is capable of such advanced anti-analysis techniques as modified RC4 encryption, signature block verification, and polymorphic code. It can evade security analysts by constantly checking its environment for signs of debugging. It runs payloads directly in the memory and not on disk, leaving no traditional fingerprints for threat researchers. What’s more, it uses polymorphic code that changes its runtime footprint during execution to prevent memory analysis and evade signature identification.
That’s not all. The malware can hide its connection protocols by connecting to the C2 server over a common port (443), which blends it with normal SSL network traffic. BendyBear clears the host’s DNS cache so that the host resolves the current IP address for the malicious C2 domain.
More details from the analysis are available in Unit 42’s report.