'BendyBear' APT malware linked to Chinese government hackers

Security researchers warn that the malware’s anti-analysis techniques make it exceptionally difficult to detect

Malware in code

Security researchers have warned of a new malware strain linked to cyber attacks on governments in East Asia.

According to researchers at Palo Alto Networks, the malware, dubbed “BendyBear,” is “one of the most sophisticated, well-engineered and difficult-to-detect samples of shellcode” used by a hacking group. Researchers believe it’s related to the WaterBear malware family, which has been active since as early as 2009.

The malware is associated with the cyber espionage group BlackTech, which has links to the Chinese government. Researchers said they believed the group behind this new malware is responsible for recent attacks against several East Asian government organizations. 

The malware was identified by its connections to a malicious C2 domain discovered by Taiwan’s Ministry of Justice Investigation Bureau in August 2020.

Researchers said the malware’s sole target is to download a more robust implant from a command and control (C2) server. They added this kind of malware is normally small, but BendyBear has over 10,000 bytes of code and uses its size to implement advanced features and anti-analysis techniques, such as modified RC4 encryption, signature block verification, and polymorphic code.

The malware hides from cyber security analysis by explicitly checking its environment for signs of debugging. For example, the malware loads payloads directly into memory and not on a disk, meaning it’s leaving behind no traditional fingerprints for threat researchers and security products to find — thus making it exceptionally difficult to detect.

It also uses polymorphic code, changing its runtime footprint during code execution to thwart memory analysis and evade signature identification. BendyBear also hides its connection protocol by connecting to the C2 server over a common port (443), in essence, blending in with normal SSL network traffic. In addition, the malware clears the host’s DNS cache every time it attempts to connect to its C2 server, making the host resolve the current IP address for the malicious C2 domain every time.

It also uses an existing Windows registry key enabled by default in Windows 10 to store configuration data.

Researchers said that BendyBear shellcode contains advanced features that are not typically found in shellcodes. 

“The use of anti-analysis techniques and signature block verification indicate that the developers care about stealth and detection-evasion. Additionally, the use of custom cryptographic routines and byte manipulations suggest a high level of technical sophistication,” added researchers.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Mastering endpoint security implementation
Security

Mastering endpoint security implementation

16 Apr 2021
US, UK say Russia was behind SolarWinds hack
cyber attacks

US, UK say Russia was behind SolarWinds hack

16 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Xiaomi Redmi Note 10 Pro review: Champagne tastes on a lemonade budget
Mobile Phones

Xiaomi Redmi Note 10 Pro review: Champagne tastes on a lemonade budget

13 Apr 2021
NSA uncovers new "critical" flaws in Microsoft Exchange Server
servers

NSA uncovers new "critical" flaws in Microsoft Exchange Server

14 Apr 2021