Recently, Security researchers have discovered a well-engineered, sophisticated, and difficult-to-detect malware possibly designed by an APT group named BlackTech also known as Palmerworm group. BlackTech is an advanced cyberattack group that generally attacks technology companies and government entities across Taiwan, Japan, and Hong Kong. The malware was later named as BendyBear by experts and shares several similarities with WaterBear malware.
The WaterBear malware came into spotlight in 2020 for targeting Taiwanese government agencies in sophisticated attacks. Along with 10,000+ bytes of machine code, several behavior and features of the new malware BendyBear also strongly correlate with the BlackTech-associated WaterBear malware.
The BendyBear malware uses advanced features and anti-analysis techniques such as modified RC4 encryption, signature block verification, and polymorphic code. In addition, BendyBear leverages the existing Windows registry key, generates unique session keys for each connection to the C2 server, and encrypts or decrypts function (code) blocks during runtime, at a macro level.
As a good news no such campaign is detected where attackers have used BendyBear malware, but its emergence highlights the forthcoming challenges for the cybersecurity industry. The advanced stealth and detection-evasion techniques indicate that this malware developer group has become more focused on a high level of technical sophistication.