Skip to content

S0574 BendyBear

BendyBear is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, BendyBear shares a variety of features with Waterbear, malware previously attributed to the Chinese cyber espionage group BlackTech.1

Item Value
ID S0574
Associated Names
Version 1.0
Created 16 February 2021
Last Modified 21 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1001 Data Obfuscation -
enterprise T1001.001 Junk Data BendyBear has used byte randomization to obscure its behavior.1
enterprise T1140 Deobfuscate/Decode Files or Information BendyBear has decrypted function blocks using a XOR key during runtime to evade detection.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography BendyBear communicates to a C2 server over port 443 using modified RC4 and XOR-encrypted chunks.1
enterprise T1105 Ingress Tool Transfer BendyBear is designed to download an implant from a C2 server.1
enterprise T1106 Native API BendyBear can load and execute modules and Windows Application Programming (API) calls using standard shellcode API hashing.1
enterprise T1571 Non-Standard Port BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2.1
enterprise T1027 Obfuscated Files or Information BendyBear has encrypted payloads using RC4 and XOR.1
enterprise T1012 Query Registry BendyBear can query the host’s Registry key at HKEY_CURRENT_USER\Console\QuickEdit to retrieve data.1
enterprise T1124 System Time Discovery BendyBear has the ability to determine local time on a compromised host.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion BendyBear can check for analysis environments and signs of debugging using the Windows API kernel32!GetTickCountKernel32 call.1