BendyBear is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, BendyBear shares a variety of features with Waterbear, malware previously attributed to the Chinese cyber espionage group BlackTech.^[1]

ID: S0574

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 16 February 2021

Last Modified: 21 April 2021

Techniques Used

Domain	ID		Name	Use
Enterprise	T1001	.001	Data Obfuscation: Junk Data	BendyBear has used byte randomization to obscure its behavior.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	BendyBear has decrypted function blocks using a XOR key during runtime to evade detection.^[1]
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	BendyBear communicates to a C2 server over port 443 using modified RC4 and XOR-encrypted chunks.^[1]
Enterprise	T1105		Ingress Tool Transfer	BendyBear is designed to download an implant from a C2 server.^[1]
Enterprise	T1106		Native API	BendyBear can load and execute modules and Windows Application Programming (API) calls using standard shellcode API hashing.^[1]
Enterprise	T1571		Non-Standard Port	BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2.^[1]
Enterprise	T1027		Obfuscated Files or Information	BendyBear has encrypted payloads using RC4 and XOR.^[1]
Enterprise	T1012		Query Registry	BendyBear can query the host's Registry key at `HKEY_CURRENT_USER\Console\QuickEdit` to retrieve data.^[1]
Enterprise	T1124		System Time Discovery	BendyBear has the ability to determine local time on a compromised host.^[1]
Enterprise	T1497	.003	Virtualization/Sandbox Evasion: Time Based Evasion	BendyBear can check for analysis environments and signs of debugging using the Windows API `kernel32!GetTickCountKernel32` call.^[1]

References

Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.

BendyBear

Enterprise Layer

Techniques Used

References