BlackTech, a cyber espionage organization that mainly targets technology companies and government agencies in East Asia (especially Taiwan, China, Hong Kong and Japan), and is considered to be the behind-the-scenes controller of the malware "Waterbear".
Waterbear is a modular malware that has existed for many years. Its loading module can perform different functions by downloading payload from a command and control (C2) server. In most cases, the payload is a backdoor program that can receive and load other modules.
Recently, the network security company Trend Micro (Trend Micro) captured a latest variant of Waterbear. Its loading module will not only download the first stage backdoor, but also download a code that will inject the code into a specific security product for API hooking to hide it. The payload of the first stage backdoor malicious behavior. The old version of
Waterbear
As mentioned above, Waterbear has a modular structure, which decrypts and executes the RC4 encrypted payload by loading a module (DLL file). Generally, the payload is the first stage backdoor, which is used to receive and load other executable files from the attacker. According to the different functions of
, the first stage backdoor can be roughly divided into two types: the first one is to connect to the C2 server; the second one is to listen to a specific port.
Figure 1. Typical Waterbear infection chain
As shown in the figure above, a typical Waterbear infection starts with a malicious DLL loader, and the triggering techniques involved are also divided into two types: the first is to modify a legitimate server application to Import and load DLL loader; second, perform virtual DLL hijacking and DLL side loading.
In order to avoid security detection, the payload will encrypt all function blocks before executing the actual malicious routine, then decrypt the corresponding function and execute it only when the function is needed, and then encrypt the function again.
Figure 2. Decryption-execution-encryption function
The new version of Waterbear
is different from the previous version. The new version of Waterbear captured this time by Trend Micro is loaded with two payloads. Among them, the first payload will inject code into a specific security product for API hooking to hide its malicious behavior, while the second payload is a typical Waterbear first-stage backdoor.
Figure 3. New Waterbear infection chain
Both payloads are encrypted, stored on the disk of the infected computer, and injected into the same service (such as LanmanServer).
Trend Micro said that the loader of the new version of Waterbear will first try to read and decrypt the payload from the file, then decrypt it, and perform thread injection according to the following conditions:
1. If the first valid one is not found on the disk Load, the loading procedure will be terminated without loading the second payload (that is, the first stage backdoor).
2. If the first payload is successfully decrypted and injected into the service, then no matter what happens in the first thread, the second payload will also be loaded and injected.
3. In the first injected thread, if the necessary executable file from a specific security product cannot be found, then the thread will be terminated without executing other malicious routines. It should be noted that only the thread will be terminated, and the service will still run.
In order to hide the first stage backdoor, the first payload uses API hook technology to evade the detection of specific security products. Specifically, it hooks two different APIs, namely "ZwOpenProcess" and "GetExtendedTcpTable" to hide its specific process.
Figure 4. "ZwOpenProcess" function hook, used to check and modify the output of the function
Figure 5. The modified "ZwOpenProcess"
Conclusion
Trend Micro said that this is the first time they have observed Waterbear tried to hide its backdoor activity.
Based on hard-coded security product names, Trend Micro believes that attackers should have a good understanding of the security products used by victims, and even how these security products collect information on client endpoints and on the network. Because only in this way, it is possible for them to know which APIs to hook into.
In addition, because the API hook shellcode uses a common method, the attacker may later use similar code segments to deal with other security products, making Waterbear activities more difficult to detect.
