The so-called “BendyBear” malware uses anti-analysis techniques that make it difficult to detect.
Security researchers have warned of a new malware strain linked to cyber attacks on governments in East Asia.
According to the elite Unit42 security researchers at Palo Alto Networks, the malware is “one of the most sophisticated, well-engineered and difficult-to-detect samples of shellcode” they have found in the wild. The Unit42 researchers believe it’s related to the WaterBear malware family. This breed of malware has been active since as early as 2009.
The malware’s precursor is tied to a Chinese government group
Analysis showed WaterBear to be a multifaceted, stage-two implant, capable of file transfer, shell access, screen capture and much more. The malware is associated with the cyber espionage group BlackTech, which many in the broader threat research community have assessed to have ties to the Chinese government.
BlackTech believed to be responsible for recent attacks against several East Asian government organizations, according to Unit42.
Due to the similarities with WaterBear, and the polymorphic nature of the code, Unit 42 have named this novel Chinese shellcode “BendyBear.”
A New Class of Shellcode, designed for stealth
According to the researchers Palo Alto Networks, several attributes of BendyBear make it extremely dangerous.
At a macro level, BendyBear is unique in that it transmits payloads in modified RC4-encrypted chunks. This hardens the encryption of the network communication, as a single RC4 key will not decrypt the entire payload.
The malware attempts to remain hidden from cybersecurity analysis by explicitly checking its environment for signs of debugging. It also leverages existing Windows registry key that is enabled by default in Windows 10 to store configuration data.
BendyBear clears the host’s DNS cache every time it attempts to connect to its C2 server, thereby requiring that the host resolve the current IP address for the malicious C2 domain each time. It also generates unique session keys for each connection to the C2 server.
BendyBear’s code is designed to thwart analysis
The malware employs polymorphic code, changing its runtime footprint during code execution to thwart memory analysis and evade signaturing. It encrypts or decrypts function blocks (code blocks) during runtime, as needed, to evade detection.
BendyBear also uses position independent code (PIC) to throw off static analysis tools, according to the researchers.