BendyBear

A new highly-sophisticated malware threat has been detected by the researchers at Palo Alto Networks. The threat was named BendyBear as there are strong links between it and WaterBear, which is a modular malware used in an attack campaign that has been going on since at least 2009. Although WaterBear has been categorized as an implant with a wide range of threatening functionalities such as file manipulation and exfiltration, shell access, screenshot grabber, and more, it is not even close to the capabilities of BendyBear.

 The infosec researchers who analyzed BendyBear describe it as the most sophisticated Chinese malware that has been created so far. They also attribute the release of the malware threat to the cyberespionage group BlackTech that has been carrying out attack campaigns against tech entities and government agencies in East Asia. 

 When deployed on the target's computer, BendyBear acts as a stage-zero implant tasked with the delivery of a more robust, next-stage payload. As such the goal of the attackers is to keep the threat as hidden as possible. It may seem counterintuitive then that with over 10, 000 bytes of machine code BendyBear is larger than other threats of the same type considerably. The bigger size, however, has allowed the hackers to pack their malware tool with a plethora of complex detection-avoidance and anti-analysis techniques. 

 Sophisticated Stealth and Detection-Evasion Features

 The threat possesses a highly malleable structure. It performs checks for any signs of anti-debugging tools and attempts to avoid static detection through position-independent code. Each communication session with the Command-and-Control (C2, C&C) infrastructure of the campaign is accompanied by the generation of a unique session key. To hide the abnormal traffic it creates, BendyBear attempts to blend in with the normal SSL network traffic by using a common port (443).

 For encryption, BendyBear employs a modified RC4 cipher. Other unique aspects of the threat are the polymorphic code that allows it to change its runtime footprint during code execution and the ability to perform signature block verification. To store its configuration data, BendyBear exploits an already existing registry key that is enabled by default in Windows 10 systems. To further minimize the traces it leaves, the threat loads the next-stage payloads into the memory of the compromised system directly without dropping them onto the disk. 

 BendyBear is difficult to detect exceptionally and organizations must stay vigilant to catch the attack in its early stages.