Cyber Security

A New Malware Shares Similarities With WaterBear

Recently, Unit 42 researchers have come across the most sophisticated, well-engineered, and difficult-to-detect polymorphic malware.

About the malware

  • Dubbed BendyBear by experts, the malware is possibly handcrafted by an APT group named BlackTech (aka Palmerworm group).
  • With 10,000+ bytes of machine code, BendyBear’s behavior and features strongly correlate with BlackTech-associated, and multifaceted, WaterBear malware.
  • The cyberespionage group was recently found targeting East Asian government organizations in coordinated attacks.

How does it work?

  • The BendyBear sample shellcode performs a sole function to download a more robust implant from attacker-controlled C2 servers.
  • It uses its larger size to implement advanced features and anti-analysis techniques such as modified RC4 encryption, signature block verification, and polymorphic code.
  • In addition, BendyBear leverages the existing Windows registry key, generates unique session keys for each connection to the C2 server, and encrypts or decrypts function (code) blocks during runtime, at a macro level.
  • The deployment infection vector, exploit vector, potential victims, or intended use of the malware in the latest campaign are yet to be known.

The WaterBear connection

Both BendyBear and WaterBear have several features in common, which indicate some possible connection between the two.

  • Both the malware make use of a modified RC4, 16-Byte XOR keys, and have similar  encrypt/decrypt function routines.
  • Both are designed to accept encrypted chunks of data for payloads.
  • Furthermore, both these malware obfuscate runtime function addresses.

There are other common features listed by the researchers.

The bottom line

BendyBear’s emergence highlights the forthcoming challenges for the cybersecurity industry. The stealth and detection-evasion techniques indicate that this malware developer group has become more focused on a high level of technical sophistication.

Source: https://cyware.com/news/a-new-malware-shares-similarities-with-waterbear-7344edfd

Click to comment

You May Also Like

Cyber Security

The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.” A Chinese-linked hacking group that security researchers say...

Cyber Security

The administration and its private sector partners announced a slate of new initiatives on Monday aimed at protecting the nation’s school systems and their...

Cyber Security

The plan includes measures for improving cybersecurity knowledge at all levels of education and improving how the federal government attracts, hires and pays cybersecurity...

Cyber Security

Using a vulnerability in MOVEit Transfer, hackers gained access to 8 to 11 million individuals’ ‘Users Data’ protected health information. Maximus, a US government contracting...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version