'BendyBear' APT malware linked to Chinese government hackers

Security researchers warn that the malware’s anti-analysis techniques make it exceptionally difficult to detect

Security researchers have warned of a new malware strain linked to cyber attacks on governments in East Asia.

According to researchers at Palo Alto Networks, the malware, dubbed “BendyBear,” is “one of the most sophisticated, well-engineered and difficult-to-detect samples of shellcode” used by a hacking group. Researchers believe it’s related to the WaterBear malware family, which has been active since as early as 2009.

The malware is associated with the cyber espionage group BlackTech, which has links to the Chinese government. Researchers said they believed the group behind this new malware is responsible for recent attacks against several East Asian government organizations. 

The malware was identified by its connections to a malicious C2 domain discovered by Taiwan’s Ministry of Justice Investigation Bureau in August 2020.

Researchers said the malware’s sole target is to download a more robust implant from a command and control (C2) server. They added this kind of malware is normally small, but BendyBear has over 10,000 bytes of code and uses its size to implement advanced features and anti-analysis techniques, such as modified RC4 encryption, signature block verification, and polymorphic code.

The malware hides from cyber security analysis by explicitly checking its environment for signs of debugging. For example, the malware loads payloads directly into memory and not on a disk, meaning it’s leaving behind no traditional fingerprints for threat researchers and security products to find — thus making it exceptionally difficult to detect.

It also uses polymorphic code, changing its runtime footprint during code execution to thwart memory analysis and evade signature identification. BendyBear also hides its connection protocol by connecting to the C2 server over a common port (443), in essence, blending in with normal SSL network traffic. In addition, the malware clears the host’s DNS cache every time it attempts to connect to its C2 server, making the host resolve the current IP address for the malicious C2 domain every time.

It also uses an existing Windows registry key enabled by default in Windows 10 to store configuration data.

Researchers said that BendyBear shellcode contains advanced features that are not typically found in shellcodes. 

“The use of anti-analysis techniques and signature block verification indicate that the developers care about stealth and detection-evasion. Additionally, the use of custom cryptographic routines and byte manipulations suggest a high level of technical sophistication,” added researchers.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Sophos Intercept X Advanced review: AI-powered protection
endpoint security

Sophos Intercept X Advanced review: AI-powered protection

30 Nov 2021
SMBs urged to update software ahead of Black Friday
e commerce

SMBs urged to update software ahead of Black Friday

25 Nov 2021
US adds dozen Chinese tech companies to trade blacklist
Policy & legislation

US adds dozen Chinese tech companies to trade blacklist

25 Nov 2021
Fifth of UK security pros discriminated against in 2021
Careers & training

Fifth of UK security pros discriminated against in 2021

23 Nov 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Business customers can get 30% off the Surface Laptop Go for Black Friday 2021
Laptops

Business customers can get 30% off the Surface Laptop Go for Black Friday 2021

26 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021