IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

'BendyBear' APT malware linked to Chinese government hackers

Security researchers warn that the malware’s anti-analysis techniques make it exceptionally difficult to detect

Security researchers have warned of a new malware strain linked to cyber attacks on governments in East Asia.

According to researchers at Palo Alto Networks, the malware, dubbed “BendyBear,” is “one of the most sophisticated, well-engineered and difficult-to-detect samples of shellcode” used by a hacking group. Researchers believe it’s related to the WaterBear malware family, which has been active since as early as 2009.

The malware is associated with the cyber espionage group BlackTech, which has links to the Chinese government. Researchers said they believed the group behind this new malware is responsible for recent attacks against several East Asian government organizations. 

The malware was identified by its connections to a malicious C2 domain discovered by Taiwan’s Ministry of Justice Investigation Bureau in August 2020.

Researchers said the malware’s sole target is to download a more robust implant from a command and control (C2) server. They added this kind of malware is normally small, but BendyBear has over 10,000 bytes of code and uses its size to implement advanced features and anti-analysis techniques, such as modified RC4 encryption, signature block verification, and polymorphic code.

The malware hides from cyber security analysis by explicitly checking its environment for signs of debugging. For example, the malware loads payloads directly into memory and not on a disk, meaning it’s leaving behind no traditional fingerprints for threat researchers and security products to find — thus making it exceptionally difficult to detect.

It also uses polymorphic code, changing its runtime footprint during code execution to thwart memory analysis and evade signature identification. BendyBear also hides its connection protocol by connecting to the C2 server over a common port (443), in essence, blending in with normal SSL network traffic. In addition, the malware clears the host’s DNS cache every time it attempts to connect to its C2 server, making the host resolve the current IP address for the malicious C2 domain every time.

It also uses an existing Windows registry key enabled by default in Windows 10 to store configuration data.

Researchers said that BendyBear shellcode contains advanced features that are not typically found in shellcodes. 

“The use of anti-analysis techniques and signature block verification indicate that the developers care about stealth and detection-evasion. Additionally, the use of custom cryptographic routines and byte manipulations suggest a high level of technical sophistication,” added researchers.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Protecting healthcare from cybercrime
Whitepaper

Protecting healthcare from cybercrime

25 May 2022
Mastering endpoint security implementation
Security

Mastering endpoint security implementation

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022

Most Popular

Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022
Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022