Security researchers have warned that new malware found out is connected to cyber attacks on governments in East Asia.
According to researchers at Palo Alto Networks, the malware, dubbed “BendyBear,” is “one of the most complex, perfectly-engineered and difficult-to-detect samples of shellcode” utilised by a hacking team. Researchers believe that it is linked to the WaterBear malware relatives, which has been energetic due to the fact as early as 2009.
The malware is associated with the cyber espionage team BlackTech, which has links to the Chinese authorities. Scientists said they believed the team driving this new malware is dependable for current attacks against various East Asian federal government businesses.
The malware was determined by its connections to a destructive C2 area identified by Taiwan’s Ministry of Justice Investigation Bureau in August 2020.
Scientists said the malware’s sole target is to obtain a more strong implant from a command and handle (C2) server. They added this sort of malware is typically small, but BendyBear has around 10,000 bytes of code and works by using its measurement to carry out sophisticated attributes and anti-evaluation approaches, these as modified RC4 encryption, signature block verification, and polymorphic code.
The malware hides from cyber security examination by explicitly examining its ecosystem for indicators of debugging. For instance, the malware hundreds payloads right into memory and not on a disk, meaning it’s leaving driving no conventional fingerprints for menace researchers and security merchandise to uncover — consequently producing it extremely challenging to detect.
It also utilizes polymorphic code, shifting its runtime footprint during code execution to thwart memory investigation and evade signature identification. BendyBear also hides its link protocol by connecting to the C2 server above a prevalent port (443), in essence, mixing in with usual SSL network targeted traffic. In addition, the malware clears the host’s DNS cache each and every time it makes an attempt to link to its C2 server, creating the host resolve the recent IP handle for the malicious C2 domain every time.
It also works by using an existing Windows registry important enabled by default in Windows 10 to shop configuration data.
Researchers claimed that BendyBear shellcode includes superior options that are not ordinarily located in shellcodes.
“The use of anti-evaluation methods and signature block verification point out that the developers treatment about stealth and detection-evasion. Furthermore, the use of custom made cryptographic routines and byte manipulations recommend a higher level of specialized sophistication,” extra scientists.
Some parts of this article are sourced from: