'BendyBear' APT malware linked to Chinese government hackers

Security researchers warn that the malware’s anti-analysis techniques make it exceptionally difficult to detect

Security researchers have warned of a new malware strain linked to cyber attacks on governments in East Asia.

According to researchers at Palo Alto Networks, the malware, dubbed “BendyBear,” is “one of the most sophisticated, well-engineered and difficult-to-detect samples of shellcode” used by a hacking group. Researchers believe it’s related to the WaterBear malware family, which has been active since as early as 2009.

The malware is associated with the cyber espionage group BlackTech, which has links to the Chinese government. Researchers said they believed the group behind this new malware is responsible for recent attacks against several East Asian government organizations. 

The malware was identified by its connections to a malicious C2 domain discovered by Taiwan’s Ministry of Justice Investigation Bureau in August 2020.

Researchers said the malware’s sole target is to download a more robust implant from a command and control (C2) server. They added this kind of malware is normally small, but BendyBear has over 10,000 bytes of code and uses its size to implement advanced features and anti-analysis techniques, such as modified RC4 encryption, signature block verification, and polymorphic code.

The malware hides from cyber security analysis by explicitly checking its environment for signs of debugging. For example, the malware loads payloads directly into memory and not on a disk, meaning it’s leaving behind no traditional fingerprints for threat researchers and security products to find — thus making it exceptionally difficult to detect.

It also uses polymorphic code, changing its runtime footprint during code execution to thwart memory analysis and evade signature identification. BendyBear also hides its connection protocol by connecting to the C2 server over a common port (443), in essence, blending in with normal SSL network traffic. In addition, the malware clears the host’s DNS cache every time it attempts to connect to its C2 server, making the host resolve the current IP address for the malicious C2 domain every time.

It also uses an existing Windows registry key enabled by default in Windows 10 to store configuration data.

Researchers said that BendyBear shellcode contains advanced features that are not typically found in shellcodes. 

“The use of anti-analysis techniques and signature block verification indicate that the developers care about stealth and detection-evasion. Additionally, the use of custom cryptographic routines and byte manipulations suggest a high level of technical sophistication,” added researchers.

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

New report highlights the need for diversity in cyber security recruitment
cyber security

New report highlights the need for diversity in cyber security recruitment

28 Apr 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Data breach exposes widespread fake reviews on Amazon
data breaches

Data breach exposes widespread fake reviews on Amazon

7 May 2021
TsuNAME vulnerability could enable DDoS attacks on major DNS servers
distributed denial of service (DDOS)

TsuNAME vulnerability could enable DDoS attacks on major DNS servers

7 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Dell patches vulnerability affecting hundreds of computer models worldwide
cyber security

Dell patches vulnerability affecting hundreds of computer models worldwide

5 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021