At 10,000 bytes in size, this beefy bear is one of the most sophisticated and evasive shellcode deployed by an APT.

In the Chinese Horoscope, it is now the Year of the Metal Ox, and guess which uninvited guest has made an appearance? A large Water Bear!

Horoscopic beliefs aside, the WaterBear malware family is something to watch out for. The WaterBear malware is associated with the cyber espionage group BlackTech, which many in the broader threat research community have assessed to have ties to the Chinese government, and it is believed to be responsible for recent attacks against several East Asian government organizations.

Researchers at Palo Alto Networks’ Unit 42 threat research group have found a new variant of Water Bear called BendyBear that has been declared one of the most sophisticated, well-engineered and evasive polymorphic malware used by an advanced persistent threat.

BendyBear is highly malleable, highly sophisticated and runs on over 10,000 bytes of X64 CPU machine ‘shellcode’ — that is, the small piece of code loaded onto the target immediately following exploitation, regardless of whether or not it actually spawns a command shell.

The bearish malware’s sole function is to download a more robust implant from a command and control (C2) server, and its large size is to facilitate advanced features and anti-analysis techniques such as modified RC4 encryption, signature block verification, and polymorphic code.

Back in Aug 2020, Taiwan’s Ministry of Justice Investigation Bureau had published details of two hacking groups, BlackTech and Taidoor, two Chinese APTs that often infiltrated government agencies by targeting loopholes in information service providers, and then sneaked into the remote desktop shared by government agencies. Today’s Bendybear shellcode the most recent specimen of the APT threat.

Cyber defenders can be protected from the BendyBear attacks with nextgen firewalls alongside DNS Security, URL Filtering and AI and machine-learning cybersecurity tools.