blacktech

BendyBear Shellcode Linked With BlackTech

Summary

Unit42 Researcher discovered a highly scalable and highly complex code whose behavior and function are closely related to the malware, which has been active since 2009.  can perform file transfers, shells, screenshots, etc. The malware is associated with the cyber espionage group BlackTech, and many in the threat research community believe that the group is related to the Chinese government. Unit42 named this new shellcode “BendyBear”, calling it one of the most complex, well-designed and difficult-to-detect shellcode samples used by Advanced Persistent Threats (APT).

Shellcode

The uniqueness of is:

  • The payload is transmitted in a modified RC4 encrypted block, which will strengthen the encryption of network communication.
  • Environmental detection: anti-debugging, anti-analysis technology.
  • Use Windows registry keys to store configuration data.
  • Each time you connect to the C2 server, the DNS cache of the host will be cleared, so that a new IP address can be resolved.
  • Each connection to the C2 server uses a different session key.
  • Connect to the C2 server via HTTPS (443), thereby mixing with normal SSL traffic.
  • The use of polymorphic code takes up more memory space at runtime to avoid memory analysis.
  • Encrypt or decrypt code blocks at runtime to avoid detection.
  • Use position independent code (PIC) to get rid of static analysis tools.

Technical Details

Shellcode (SHA256: 64CC899EC85F612270FCFB120A4C80D52D78E68B05CAF1014D2FE06522F1E2D0) is an installer or downloader, and its function is to download implants from the C2 server. During execution, the code uses byte randomization to mask its behavior. This is achieved by using the current time of the host as the seed of the pseudo-random number generator, and then performing additional operations on the output.

bendybear shellcode

Network communication

bendybear communication

IOCs

Shellcode 

x64 – (0.24)
64CC899EC85F612270FCFB120A4C80D52D78E68B05CAF1014D2FE06522F1E2D0
wg1.inkeslive[.]com

x86 – (0.1)
49901034216a16cfd05c613f438eccee4a7bf6079a7988b3e7094d9498379558
web2008.rutentw[.]com

x86  Loader

5d1414b47d88e95ae6612d3fc211c29b35cc5db4a8a992f5e27cff5203ebf44b
9880ba4f93cade2f6bbb4cc8efdcf087e8ac51b5c209ee32ad8134eb87ef70e1
682122f34027e3f8025928d446989b02952449f5e5930c2670f8f789f41573ff
2a09ec2d6edadd06e18c841e0ed794ba3eeb21818476f75ccc0e5d40e08eac80
76ef704d21fbaaceca8a131429ccfb9f5de3d8f43a160ddd281ffeafc391eb98

d35224bb1c8007082dd1d53f5811d1bed53317f9
2b770e58af6a26879be51f45ee279490fa0fd3b5
d5732316e2d3f113960a577b6a0496c99020afb2
5546573eade55c6361d2ef8a456f4d82087afafc
2288c68a3534dac16f67fc3af1b4a68dfcda5baf

633ca057be3189b5da3678849aa5d9ce
26e0b9a97a9448f2c6cccfd1003e0cb0
05f34b09b28e771c99b8578f8a4324ce
386091b299cfbe9b95034b21be7aa44c
2a321465999f74ac4055e83e58be2624