Waterbear Modular Malware Campaign Lashes out at Taiwanese Government

A number of Taiwanese government entities have been recently targeted by a fresh Waterbear campaign in sophisticated cyberattacks. Associated with the BlackTech threat group, the malware has been observed utilizing leftovers from previous attacks on the same targets in April 2020 that had not been fully eradicated.

Key features 

According to a report released by CyCraft researchers, the latest Waterbear malware has been featuring different capabilities allowing the Waterbear loader to deploy additional malicious packages. 
  • The campaign has leveraged a vulnerability in a common and trusted Data Loss Prevention (DLP) tool to load Waterbear malware, perform DLL hijacking, and stealthily trigger next stage malware.
  • With a decade-old antivirus evasion technique known as Heaven's Gate, the attackers have been successfully tricking Windows to hide and bypass Waterbear's network behaviors from security engines.
  • In addition, the attackers used enlarged binary size to bypass scanning protocols altogether, forced DLLs to unload to obfuscate malware, and padded memory with Kernel32 content to confuse analyses.
  • The threat actor leveraged Windows IKEEXT Service, and system services such as Winmgmt, System Event Notification Service (SENS), Wuauserv, and LanmanServer in their attacks.

BlackTech’s recent targets

BlackTech, also known as the Palmerworm group, is known to target technology companies and government entities across Taiwan, Japan, and Hong Kong.
  • In September, the group had used a brand new suite of custom malware to target organizations in the media, construction, engineering, electronics, and finance sectors in Japan, Taiwan, the U.S., and China.
  • In August, BlackTech had targeted at least ten government agencies, and around 6,000 email accounts of government officials were infiltrated to steal sensitive data from the Taiwanese government and tech companies.

Preventative solutions

With better stealth capabilities, the chances of the success of malware campaigns have been increasing. Experts advise adding listed IOCs to create blacklists for detection and response solutions. Organizations and users are recommended to use firewalls, antivirus, and DLP solutions, as well as AI-driven detection and response solutions to increase SOC efficiency, automate investigations, and reduce alert fatigue.