IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

'BendyBear' APT malware linked to Chinese government hackers

Security researchers warn that the malware’s anti-analysis techniques make it exceptionally difficult to detect

Security researchers have warned of a new malware strain linked to cyber attacks on governments in East Asia.

According to researchers at Palo Alto Networks, the malware, dubbed “BendyBear,” is “one of the most sophisticated, well-engineered and difficult-to-detect samples of shellcode” used by a hacking group. Researchers believe it’s related to the WaterBear malware family, which has been active since as early as 2009.

The malware is associated with the cyber espionage group BlackTech, which has links to the Chinese government. Researchers said they believed the group behind this new malware is responsible for recent attacks against several East Asian government organizations. 

The malware was identified by its connections to a malicious C2 domain discovered by Taiwan’s Ministry of Justice Investigation Bureau in August 2020.

Researchers said the malware’s sole target is to download a more robust implant from a command and control (C2) server. They added this kind of malware is normally small, but BendyBear has over 10,000 bytes of code and uses its size to implement advanced features and anti-analysis techniques, such as modified RC4 encryption, signature block verification, and polymorphic code.

The malware hides from cyber security analysis by explicitly checking its environment for signs of debugging. For example, the malware loads payloads directly into memory and not on a disk, meaning it’s leaving behind no traditional fingerprints for threat researchers and security products to find — thus making it exceptionally difficult to detect.

It also uses polymorphic code, changing its runtime footprint during code execution to thwart memory analysis and evade signature identification. BendyBear also hides its connection protocol by connecting to the C2 server over a common port (443), in essence, blending in with normal SSL network traffic. In addition, the malware clears the host’s DNS cache every time it attempts to connect to its C2 server, making the host resolve the current IP address for the malicious C2 domain every time.

It also uses an existing Windows registry key enabled by default in Windows 10 to store configuration data.

Researchers said that BendyBear shellcode contains advanced features that are not typically found in shellcodes. 

“The use of anti-analysis techniques and signature block verification indicate that the developers care about stealth and detection-evasion. Additionally, the use of custom cryptographic routines and byte manipulations suggest a high level of technical sophistication,” added researchers.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Cyber resiliency and end-user performance
Whitepaper

Cyber resiliency and end-user performance

17 Aug 2022
Can't choose between public and private cloud? You don't have to with IaaS
Whitepaper

Can't choose between public and private cloud? You don't have to with IaaS

12 Aug 2022
What is zero trust?
network security

What is zero trust?

14 Jul 2022
Retbleed hardware-level flaw brings overhead woe to Intel and AMD
Hardware

Retbleed hardware-level flaw brings overhead woe to Intel and AMD

13 Jul 2022

Most Popular

UK water supplier confirms hack by Cl0p ransomware gang
ransomware

UK water supplier confirms hack by Cl0p ransomware gang

16 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022