Most Sophisticated BendyBear APT Malware Linked With Chinese Hacking Group BlackTech

During a core investigation, the Unit 42 researchers have discovered a new polymorphic and “highly sophisticated” and well-engineered malware that is named as BendyBear; not only this, but this malware is linked to a hacking group with familiar relations to the Chinese government.

BendyBear is assumed to be a modification of WaterBear; it is a campaign that utilizes modular malware and has been operating since 2009.

However, WaterBear is related to BlackTech, a cyberespionage group that is linked by threat researchers to the Chinese government. 

The analysis that has been pronounced by Trend Micro, WaterBear is a multifaceted malware that is capable of file transfer, shell access, screen capture, and many more.

Features and capabilities of the malware

Researchers has mentioned the features and capabilities of the malware, and here they are:-

  • It transmits payloads in modified RC4-encrypted parts, and it hardens the encryption of the network interface, as a single RC4 key will not decrypt the whole payload.
  • It gives all its efforts to remain hidden from cybersecurity investigation by explicitly checking its surroundings for signs of debugging.
  • Leverages existing Windows registry key that is allowed by default in Windows 10 to store configuration data.
  • It clears the host’s DNS cache every time it tries to connect to its C2 server by claiming the host that resolves the current IP address for the malicious C2 domain each time.
  • It generates individual session keys for every connection to the C2 server.
  • This malware hides its connection protocol by connecting to the C2 server over a common port (443), thereby combining it with normal SSL network traffic.
  • This malware also uses polymorphic code, altering its runtime footprint during code execution to prevent memory analysis and evade signature.
  • It encrypts and decrypts function blocks during runtime, as it requires, to evade detection.
  • The malware uses position-independent code (PIC) to cast off static analysis tools.

Modules used

The experts have started a list of modules that have been used by the malware:

  • Advapi32.dll
  • Kernel32.dll
  • Msvcrt.dll
  • User32.dll
  • Ws2_32.dll
  • dnsapi.dll

Network Communications

This malware flushes the shellcode of the host DNS cache before communicating with the C2 server by executing the following commands:-

  • Loads module dnsapi.dll
  • Calls API DnsFlushResolverCache

According to the report, all domains resolved are cleared from the host’s DNS cache when the API is being called. This overpowers the host to determine the current IP that is being associated with the C2 domain.

It also ensures that communication must be continued as the network infrastructure becomes negotiated or unavailable. Moreover, it also signifies the developers that own the domain and can update the IP.

However, the security team affirmed that it is publishing indicators of compromise and other data to help the organizations so that they can settle if they’ve been compromised by BendyBear and block future attacks.

Apart from this, the experts of Unit 42 also asserted that while it published the research in the hope of obtaining BendyBear, a less potent tool for cyberespionage, it warned that all the organizations must remain vigilant against the cyber attackers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.