BendyBear malware is a stealth-focused Advanced Persistent Threat (APT) malware. Therefore, its main function is to lie undetected in infected systems for long periods of time, providing a staging ground for further exploits and attacks.
Moreover, its exclusive function is to operate as an x64 shellcode to download additional malicious payloads to the target device from controlled command and control (C2) servers. A shellcode is a software that, when executed, opens a remote shell, giving attackers command-line interpreter (CLI) access to the compromised machine.
An attacker can use this access to browse system contents, execute processes, alter the system’s behavior or settings, or manually deploy additional malware.
Because the cybersecurity community only became aware of BendyBear as recently as August 2020, there is still no definitive answer as to what infection vector is used to deploy the malware to target systems, although phishing and spearphishing are the top possibilities.
Without knowing its ultimate intent, it’s also still unclear who potential victims might be and what further exploit vectors may be employed. However, it is clear that governments and their contracted information service providers are some of its favored initial targets.
The best bet for organizations to insulate against newly emerging threats utilizing sophisticated techniques is to be more proactive about their security.
LIFARS is an industry leader that develops proactive strategies and tactics against evolving cybersecurity threats. Our services such as comprehensive gap assessment, red-teaming, penetration testing, threat hunting and vulnerability assessment reveal a company’s vulnerabilities.
Resemblance with WaterBear
BendyBear malware closely resembles the WaterBear malware family (active since 2009), often deployed against East Asian governments such as Japan, Taiwan, and Hong Kong. WaterBear is strongly linked to the Chinese cyberespionage group, BlackTech, which in turn has confirmed ties to the Chinese Government. This raises the suspicion that BendyBear might be from the same source.
Despite having a larger filesize than most ATPs (10,000+ bytes of machine code), BendyBear is one of the most sophisticated and hard-to-detect malware of its kind. Its creators have endowed it with advanced anti-detection and obfuscation techniques, such as RC4 encryption, signature block verification, and polymorphic code.
A number of its anti-detection features and characteristics are unique for similar zero-stage malware:
- Transmits payloads in modified RC4-encrypted chunks. This hardens the encryption of the network communication, as a single RC4 key will not decrypt the entire payload.
- Attempts to remain hidden from cybersecurity analysis by explicitly checking its environment for signs of debugging.
- Leverages existing Windows registry key enabled by default in Windows 10 to store configuration data.
- Clears the host’s DNS cache every time it attempts to connect to its C2 server, thereby requiring that the host resolve the current IP address for the malicious C2 domain each time.
- Generates unique session keys for each connection to the C2 server.
- Obscures its connection protocol by connecting to the C2 server over a common port (443), thereby blending in with normal SSL network traffic.
- Employs polymorphic code, changing its runtime footprint during code execution to thwart memory analysis and evade signaturing.
- Encrypts or decrypts function blocks (code blocks) during runtime, as needed, to evade detection.
- Uses position independent code (PIC) to throw off static analysis tools.
How to Protect Your Organization Against ATP Attacks Like BendyBear
Because of the inherent uncertainty surrounding the BendyBear malware, it’s difficult to subscribe to definite steps to defend against it or protect against further attack vectors. However, there are certain danger signs we can point to thanks to information and code snippets made available by authorities:
1. Taiwan authorities have released a list of 11 suspicious Chinese-linked domain names that should be on every security block-list:
2. Know the related Shelcode Sample IoCs and flag them as malicious in your security solutions:
- x64 – (version 0.24): 64CC899EC85F612270FCFB120A4C80D52D78E68B05CAF1014D2FE06522F1E2D0 wg1.inkeslive[.]com
- x86 – (version 0.1): 49901034216a16cfd05c613f438eccee4a7bf6079a7988b3e7094d9498379558 web2008.rutentw[.]com
- Check your inbound/outbound traffic regularly for any suspicious activity, especially TCP port 443 logs.
- Regularly perform audits of your systems’ services, registries, DNS, etc.
- Make use of security software that can block shellcode execution.
- Establish an endpoint perimeter using techniques like whitelisting.
- Keep your security software updated and patch relevant systems regularly.
- Invest in incident response (IR) so that you can immediately conduct forensic security once an IoC is detected to remove and remediate all threat actor actions.