Researchers have recently discovered a very sophisticated, well-engineered, and difficult-to-detect polymorphic malware.
The Newly Discovered Malware –
- The malware is possibly handcrafted by an APT group named BlackTech (aka Palmerworm group) and is being dubbed as BendyBear by researchers.
- The behavior and features of BendyBear along with 10,000+ bytes of machine code strongly correlates with BlackTech-associated, and multifaceted, WaterBear malware.
- East Asian government organizations were recently targeted by the cyberespionage group in coordinated attacks.
How does the Malware function?
- The sample shellcode of BendyBear performs a sole function to download a more robust implant from attacker-controlled C2 servers.
- To implement advanced features and anti-analysis techniques such as modified RC4 encryption, signature block verification, and polymorphic code, it uses its larger size.
- Additionally, the existing Windows registry key is leveraged by BendyBear generating unique session keys for each connection to the C2 server and encrypting or decrypting function (code) blocks during runtime, at a macro level.
- Factors like the deployment infection vector, exploit vector, potential victims or intended use of the malware in the latest campaign are yet to be decoded.
Connection to the WaterBear –
With several common features between BendyBear and WaterBear, researchers suggest a possible connection between the two.
- A modified RC4 and 16-Byte XOR keys are utilized by both the malware while having similar encrypt/decrypt function routines.
- By design, both the malware accept encrypted chunks of data for payloads.
- Furthermore, both malware obfuscates runtime function addresses.
Below are the common features as listed by researchers –
| Attributes | WaterBear | BendyBear |
| File Type | EXE/DLL | Shell code |
| Implant Type | Stage-2 | Stage-0 |
| Modified RC4 | Present | Present |
| Additional Encryption | Unknown | Extra XOR computations |
| 16-Byte XOR Keys | Present | Present |
| Authenticated C2 Communications | Present | Present |
| Signature Verifications Magic Bytes |
1F 40 1F 43 |
1F 40 1F 43 |
| Chunked Payloads | Present | Present |
| Polymorphic Code | Present | Present |
| In-Memory Loading | Present | Present |
| PEB Debugger Check | Present | Present |
| Pattern Elimination | Present | Present |
| Encrypt/Decrypt Function Routines | Present | Present |
| API Hooking | Present | Absent |
| Process Hiding | Present | Absent |
| Network Traffic Filtering | Present | Absent |
The emergence of BendyBear only highlights the forthcoming challenges for the cybersecurity domain. Its sophisticated stealth and detection-evasion techniques are a testament to this malware developer group’s focus on achieving a high level of technical sophistication.
To read more, please check eScan Blog
