Recently, Unit 42 researchers have come across the most sophisticated, well-engineered, and difficult-to-detect polymorphic malware. Dubbed BendyBear by experts, the malware is possibly handcrafted by an APT group named BlackTech (aka Palmerworm group).
With 10,000+ bytes of machine code, BendyBear’s behavior and features strongly correlate with BlackTech-associated, and multifaceted, WaterBear malware. The cyberespionage group was recently found targeting East Asian government organizations in coordinated attacks.
Working Mechanism
The BendyBear sample shellcode performs a sole function to download a more robust implant from attacker-controlled C2 servers. It uses its larger size to implement advanced features and anti-analysis techniques such as modified RC4 encryption, signature block verification, and polymorphic code. In addition, BendyBear leverages the existing Windows registry key, generates unique session keys for each connection to the C2 server, and encrypts or decrypts function (code) blocks during runtime, at a macro level.
The deployment infection vector, exploit vector, potential victims, or intended use of the malware in the latest campaign are yet to be known.
Similarities to WaterBear Malware
Both BendyBear and WaterBear have several features in common, which indicate some possible connection between the two. Both the malware make use of a modified RC4, 16-Byte XOR keys, and have similar encrypt/decrypt function routines.
Both are designed to accept encrypted chunks of data for payloads. Furthermore, both these malware obfuscate runtime function addresses. There is also other common features listed by the researchers.
Conclusion
BendyBear’s emergence highlights the forthcoming challenges for the cybersecurity industry. The stealth and detection-evasion techniques indicate that this malware developer group has become more focused on a high level of technical sophistication.