A New Malware Shares Similarities With WaterBear

About the malware

• Dubbed BendyBear by experts, the malware is possibly handcrafted by an APT group named BlackTech (aka Palmerworm group).
• With 10,000+ bytes of machine code, BendyBear’s behavior and features strongly correlate with BlackTech-associated, and multifaceted, WaterBear malware.
• The cyberespionage group was recently found targeting East Asian government organizations in coordinated attacks.

How does it work?

• The BendyBear sample shellcode performs a sole function to download a more robust implant from attacker-controlled C2 servers.
• It uses its larger size to implement advanced features and anti-analysis techniques such as modified RC4 encryption, signature block verification, and polymorphic code.
• In addition, BendyBear leverages the existing Windows registry key, generates unique session keys for each connection to the C2 server, and encrypts or decrypts function (code) blocks during runtime, at a macro level.
• The deployment infection vector, exploit vector, potential victims, or intended use of the malware in the latest campaign are yet to be known.

The WaterBear connection

• Both the malware make use of a modified RC4, 16-Byte XOR keys, and have similar  encrypt/decrypt function routines.
• Both are designed to accept encrypted chunks of data for payloads.
• Furthermore, both these malware obfuscate runtime function addresses.

The bottom line