CyberWire Daily - BendyBear: difficult to detect and downloader of malicious payloads. [Research Saturday]
Episode Date: March 20, 2021Guest Jen Miller-Osborn from Palo Alto Networks' Unit 42 joins us to discuss their research into BendyBear. Highly malleable, highly sophisticated and over 10,000 bytes of machine code. The code behav...ior and features strongly correlate with that of the WaterBear malware family, which has been active since as early as 2009. The malware is associated with the cyber espionage group BlackTech, which many in the broader threat research community have assessed to have ties to the Chinese government, and is believed to be responsible for recent attacks against several East Asian government organizations. Due to the similarities with WaterBear, and the polymorphic nature of the code, Unit 42 named this novel Chinese shellcode “BendyBear.” It stands in a class of its own in terms of being one of the most sophisticated, well-engineered and difficult-to-detect samples of shellcode employed by an Advanced Persistent Threat (APT). The research can be found here: BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So at a very high level, it is one of the most sophisticated, well-engineered,
and difficult-to-detect samples of shellcode that we've seen employed by an APT.
That's Jen Miller-Osborne.
She's Deputy Director of Threat Intelligence at Palo Alto Network's Unit 42.
The research we're discussing today is titled
Bendy Bear, Novel Chinese Shellcode Linked with Cyber Espionage Group, Black Tech. on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools
expand your attack surface
with public-facing IPs
that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
It's also an upgraded variant of WaterBear, which was for 32-bit systems.
And this one is designed for modern 64-bit systems. So it shows as well that there's developers behind this that are consistently updating this
as operating systems and things like that progress.
One of the final notes that makes this unique
and somewhat challenging and definitely challenging
is that the shellcode exists only in memory
and it can load additional payloads directly into memory and not
on disk, which is another component of making it very difficult to detect. Well, let's go through
some of the capabilities together here. I mean, what is it able to do? So in terms of capability,
what it can do on a system, it's limited to downloading other payloads.
So in that perspective, it's not particularly interesting.
What is interesting is the way it does both its communications and the way its polymorphic code ensures that its runtime state varies every time it launches.
So that makes it very difficult to detect
because typically things and patterns
that you would signature on, you can't
because every time this is launching,
it is looking different.
Every time it pings for a C2 domain,
it will clear the host cache, the host DNS cache.
So it forces it to resolve every time,
which also can impede investigation
because there's no cache logs showing that that domain was looked for. But it also implies that
the attackers own those domains so they can change the IP they're resolving to if necessary,
if for some reason one of them was being detected. And then it also encrypts and decrypts function blocks while it's running
only as needed, which is another way to avoid detection. And finally, it also looks for what
would be static debugging kind of things before it runs. If it detects those, it won't run because
those are a classic sign that it's in an analysis environment. So the author spent quite a bit of time ensuring that this would be incredibly difficult to detect within a network,
but its only actual functionality outside of that is to download additional malicious payloads.
So how would someone find themselves with this on their system?
What's the mechanism by which it installs itself?
We actually don't know. That's one of the things we noted in our research. It does require a loader,
but we were not able to find a copy of what that is. So our analysts actually had to build
a custom loader to get the Shellcode to run.
So once you find this on your system, can we walk through together what it does,
how it reaches out to that C2 server?
Sure.
So it does some level of time evasion, and that's, again, to avoid typical static or dynamic runtime analysis.
Typically, most virtual environments, they only wait a set amount of time for a program to do something before determining whether it's malicious or not malicious, which makes sense because, you know, they're processing thousands or millions of files at volume and they can't afford for any network to have a particular file sitting there for, you know, an hour, two hours, two weeks, waiting for a file to do something. So in this number of
the more advanced things, we'll see a component where they'll just add that in. And this is the
same way they did a number of things to defeat that kind of runtime analysis where they would
wait. In addition, they hid their traffic within port 443 SSL traffic, and they were encrypting it.
It wasn't SSL encrypted, but it was still encrypted, so it wouldn't necessarily throw any flags just from a casual kind of look.
But then it did a number of things to authenticate between the malware itself and the C2 to confirm that it was talking to the correct family,
if that makes sense. There were a number of encryption components when things were
transmitted back and forth that was also used for the encryption, which makes it difficult to
detect or break. They're calculating the session keys and challenges, but they're doing them per
request. And then they're doing them per request.
And then they're basing the encrypted chunk of the payload that's sent back on the challenge and the response.
So it's confirming the two families are talking together, but it also means that you needed the session keys when they were created, really, to be able to decrypt anything and detect it so it's an easy it's a good way of hiding traffic inside legitimate traffic and just kind of sneaking in under the
radar if you could say that and then then once it decrypts it then it has whatever that malicious
payload was and that payload goes right into memory so it's not being written anywhere where it could be flagged there.
Yep. It'll also write itself, whatever it is, directly into memory.
I see.
It's a really well-done stage zero downloader. It's very stealthy and it's very difficult to reverse engineer. The RE that worked on this has been doing this for quite a while
and is very experienced, and he noted that this was one of the most
complicated pieces of shellcode that he's ever looked at.
Wow.
Now, there's some things that it's doing in terms of the encryption here.
When data is being transferred, it's breaking it down into certain size blocks, and those blocks are each getting encrypted separately?
Mm-hmm.
We've seen that with other malware where they do that in an attempt to make it more difficult to reassemble the actual payload so you can understand what it's doing.
So they'll encrypt them in bytes and then they'll move them around essentially.
So what you need to be able to do is you have to figure out what the routine
was that they used to be able to reverse it. And in this case,
they modified RC4,
which made it just that much a little more difficult because it wasn't
traditional RC4.
And then they would do that and then they would XOR the results as well.
So it's an effective way of making it very difficult to reassemble even for a researcher.
And do you have any sense for what sort of payloads are being delivered here?
Has there been any follow-up on that?
Unfortunately, we were not able to find
any of the follow-on malware associated with this.
We would love to talk to someone if they have anything.
So if anyone that's listening has anything else on this,
please feel free to reach out.
This appears to be a very sophisticated group that is well-resourced and technical.
They understand what they're doing and they have developers.
So it's definitely something that people should be concerned about if you're the type of organization that they would target.
And what sort of conclusions have you drawn in terms of who might be behind this and who they may be targeting?
So all of the attribution or such attribution that's been published is tied.
This is back to the Chinese government.
The article that the Taiwanese Department of Justice published along with the C2 domains also gave that same attribution.
domains also gave that same attribution and then the cyber commands dnmf team actually retweeted us and kept in the tie to black tech and it is generally it is widely assessed that black
tech is tied to the chinese government so we can't say with 100 certainty but there seems to be a lot
of people in agreement on that right right What are the recommendations in terms of protecting yourself against this?
For this, if you are the kind of target they would go for, so this group historically has
focused a lot just in the East Asian region, specifically against government and industries
like semiconductors, things like that were a technical nature. I would talk to whoever your security provider is, I would have a conversation with them about whether or not you're able to detect this and what that looks like, because it's potentially an indicator of if you find it in your environment, it's been there a while, you probably are going to have to start doing a more thorough investigation of what's going on. So I would recommend organizations
confirm that they're protected from this.
And do you all have indication that the command and control servers are
active right now, that this is an active campaign out there running?
That I would have to double check. We haven't looked at the domains recently, but
the last indication we had a few weeks ago, they were still active.
I see. Okay.
Well, the blog post that you all put up here has a lot of the indicators of compromise and so on.
So there's lots of information that folks can use to determine whether or not it's something they should be concerned about.
Really interesting research here.
Is there anything that I've missed?
Anything I haven't asked you that you think it's important to share?
Nope, I don't think so.
I just really want to highlight that this is a very stealthy and sophisticated piece of shell code.
So if you're a potential target, please ensure that you are protected from this.
Our thanks to Jen Miller Osborne from Palo Alto Network's Unit 42 for joining us.
The research is titled Bendy Bear, Novel Chinese Shell Code Linked with Cyber
Espionage Group, Black Tech. We'll have a link in the show notes. And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home. Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.