S0579 Waterbear
Waterbear is modular malware attributed to BlackTech that has been used primarily for lateral movement, decrypting, and triggering payloads and is capable of hiding network behaviors.1
| Item | Value |
|---|---|
| ID | S0579 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 22 February 2021 |
| Last Modified | 25 March 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Waterbear has the ability to decrypt its RC4 encrypted payload for execution.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.002 | DLL Side-Loading | Waterbear has used DLL side loading to import and load a malicious DLL loader.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.006 | Indicator Blocking | Waterbear can hook the ZwOpenProcess and GetExtendedTcpTable APIs called by the process of a security product to hide PIDs and TCP records from detection.1 |
| enterprise | T1105 | Ingress Tool Transfer | Waterbear can receive and load executables from remote C2 servers.1 |
| enterprise | T1112 | Modify Registry | Waterbear has deleted certain values from the Registry to load a malicious DLL.1 |
| enterprise | T1106 | Native API | Waterbear can leverage API functions for execution.1 |
| enterprise | T1027 | Obfuscated Files or Information | Waterbear has used RC4 encrypted shellcode and encrypted functions.1 |
| enterprise | T1027.005 | Indicator Removal from Tools | Waterbear can scramble functions not to be executed again with random values.1 |
| enterprise | T1057 | Process Discovery | Waterbear can identify the process for a specific security product.1 |
| enterprise | T1055 | Process Injection | Waterbear can inject decrypted shellcode into the LanmanServer service.1 |
| enterprise | T1055.003 | Thread Execution Hijacking | Waterbear can use thread injection to inject shellcode into the process of security software.1 |
| enterprise | T1012 | Query Registry | Waterbear can query the Registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\MTxOCI” to see if the value OracleOcilib exists.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Waterbear can find the presence of a specific security software.1 |
| enterprise | T1049 | System Network Connections Discovery | Waterbear can use API hooks on GetExtendedTcpTable to retrieve a table containing a list of TCP endpoints available to the application.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0098 | BlackTech | 1 |