S0574 BendyBear

BendyBear is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, BendyBear shares a variety of features with Waterbear, malware previously attributed to the Chinese cyber espionage group BlackTech.¹

Item	Value
ID	S0574
Associated Names
Type	MALWARE
Version	1.0
Created	16 February 2021
Last Modified	21 April 2021
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1001	Data Obfuscation	-
enterprise	T1001.001	Junk Data	BendyBear has used byte randomization to obscure its behavior.¹
enterprise	T1140	Deobfuscate/Decode Files or Information	BendyBear has decrypted function blocks using a XOR key during runtime to evade detection.¹
enterprise	T1573	Encrypted Channel	-
enterprise	T1573.001	Symmetric Cryptography	BendyBear communicates to a C2 server over port 443 using modified RC4 and XOR-encrypted chunks.¹
enterprise	T1105	Ingress Tool Transfer	BendyBear is designed to download an implant from a C2 server.¹
enterprise	T1106	Native API	BendyBear can load and execute modules and Windows Application Programming (API) calls using standard shellcode API hashing.¹
enterprise	T1571	Non-Standard Port	BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2.¹
enterprise	T1027	Obfuscated Files or Information	BendyBear has encrypted payloads using RC4 and XOR.¹
enterprise	T1012	Query Registry	BendyBear can query the host’s Registry key at `HKEY_CURRENT_USER\Console\QuickEdit` to retrieve data.¹
enterprise	T1124	System Time Discovery	BendyBear has the ability to determine local time on a compromised host.¹
enterprise	T1497	Virtualization/Sandbox Evasion	-
enterprise	T1497.003	Time Based Evasion	BendyBear can check for analysis environments and signs of debugging using the Windows API `kernel32!GetTickCountKernel32` call.¹

References

Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021. ↩↩↩↩↩↩↩↩↩↩↩