WaterBear ! The Malware

WaterBear

A number of Taiwanese government entities have been recently targeted by a fresh Waterbear campaign in sophisticated cyberattacks. Associated with the Blacktech threat group , the malware has been observed utilizing leftovers from previous attacks on the same targets in April 2020 that had not been fully eradicated.

Researchers of Cycraft the latest Waterbear malware has been featuring different capabilities allowing the Waterbear loader to deploy additional malicious packages. 

  • The campaign has leveraged a vulnerability in a common and trusted Data Loss Prevention (DLP) tool to load Waterbear malware, perform DLL hijacking, and stealthily trigger next stage malware.
  • With a decade-old antivirus evasion technique known as Heaven’s Gate, the attackers have been successfully tricking Windows to hide and bypass Waterbear’s network behaviors from security engines.
  • In addition, the attackers used enlarged binary size to bypass scanning protocols altogether, forced DLLs to unload to obfuscate malware, and padded memory with Kernel32 content to confuse analyses.
  • The threat actor leveraged Windows IKEEXT Service, and system services such as Winmgmt, System Event Notification Service (SENS), Wuauserv, and LanmanServer in their attacks.

Precautions

The chances of the success of malware campaigns have been increasing with better stealthy . Experts advise adding listed IOCs to create blacklists for detection and response solutions. Organizations and users are recommended to use firewalls, antivirus, and DLP solutions, as well as AI-driven detection and response solutions to increase SOC efficiency, automate investigations, and reduce alert fatigue.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s