Unit42 Researcher discovered a highly scalable and highly complex code whose behavior and function are closely related to the WaterBear malware, which has been active since 2009. WaterBear can perform file transfers, shells, screenshots, etc. The malware is associated with the cyber espionage group BlackTech, and many in the threat research community believe that the group is related to the Chinese government. Unit42 named this new shellcode “BendyBear”, calling it one of the most complex, well-designed and difficult-to-detect shellcode samples used by Advanced Persistent Threats (APT).
The uniqueness of BendyBear is:
- The payload is transmitted in a modified RC4 encrypted block, which will strengthen the encryption of network communication.
- Environmental detection: anti-debugging, anti-analysis technology.
- Use Windows registry keys to store configuration data.
- Each time you connect to the C2 server, the DNS cache of the host will be cleared, so that a new IP address can be resolved.
- Each connection to the C2 server uses a different session key.
- Connect to the C2 server via HTTPS (443), thereby mixing with normal SSL traffic.
- The use of polymorphic code takes up more memory space at runtime to avoid memory analysis.
- Encrypt or decrypt code blocks at runtime to avoid detection.
- Use position independent code (PIC) to get rid of static analysis tools.
Shellcode (SHA256: 64CC899EC85F612270FCFB120A4C80D52D78E68B05CAF1014D2FE06522F1E2D0) is an installer or downloader, and its function is to download implants from the C2 server. During execution, the code uses byte randomization to mask its behavior. This is achieved by using the current time of the host as the seed of the pseudo-random number generator, and then performing additional operations on the output.
x64 – (0.24)
x86 – (0.1)
x86 WaterBear Loader