Chinese APT Group Deploys ‘Most Sophisticated’ ShellcodeNewly Discovered BendyBear's Advanced Features Include Anti-Analysis Capabilities
BlackTech, a Chinese advanced persistent threat group, is deploying a sophisticated new shellcode called BendyBear as part of its latest espionage campaign security firm Palo Alto Networks reports.
BendyBear is a stage-zero implant that has been designed to download more advanced malware from its command-and-control server. Palo Alto researchers describe the malware as one of the "most sophisticated, well-engineered and difficult-to-detect samples of shellcode employed by an advanced persistent threat group."
The researchers' report notes: "The BendyBear sample was determined to be x64 shellcode for a stage-zero implant whose sole function is to download a more robust implant from a command and control (C2) server."
The malware has been deployed by the group as part of cyberespionage campaigns across Southeast Asia.
BendyBear is described as a new class of shellcode with unique capabilities, including:
- Transmitting payloads in modified RC4-encrypted chunks, making the decryption of the code more difficult;
- Leveraging existing Windows registry key that is enabled by default in Windows 10 to store configuration data;
- Generating unique session keys for each connection to the C2 server;
- Using a polymorphic approach to thwart memory analysis and evade signaturing.
Palo Alto Networks notes BendyBear's infrastructure overlaps with that of the WaterBear malware family, which BlackTech has used sincee 2009.
Unlike WaterBear, however, BendyBear comes with more advanced capabilities, including API hashing, process hiding and network traffic filtering capabilities.
BlackTech, also known as CircuitPanda, Temp.Overboard and Huapi, is an APT group that has previously targeted victims in East Asia, particularly Taiwan, and in Japan and Hong Kong as part of cyberespionage campaigns. Officials in Taiwan believe the hacking group has connections to China and its government, Reuters reported in August 2020.
In October 2020, researchers at security firm Symantec revealed that the group targeted organizations in the U.S. and Asia using a previously unseen malware backdoor. Symantec notes the malware has been designed to steal files, intellectual property and government documents from its victims.(see: APT Group Wages Cyber Espionage Campaign)
In August, Taiwan's CyberSecurity Investigation Office revealed that BlackTech was one of the groups that breached the networks of 10 government agencies.
Prior to this, Japan's Computer Security Incident Response Team disclosed more details of Linux malware deployed by BlackTech with a custom communication protocol and additional characteristics.