Skip to content

S0579 Waterbear

Waterbear is modular malware attributed to BlackTech that has been used primarily for lateral movement, decrypting, and triggering payloads and is capable of hiding network behaviors.1

Item Value
ID S0579
Associated Names
Version 1.1
Created 22 February 2021
Last Modified 25 March 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1140 Deobfuscate/Decode Files or Information Waterbear has the ability to decrypt its RC4 encrypted payload for execution.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Waterbear has used DLL side loading to import and load a malicious DLL loader.1
enterprise T1562 Impair Defenses -
enterprise T1562.006 Indicator Blocking Waterbear can hook the ZwOpenProcess and GetExtendedTcpTable APIs called by the process of a security product to hide PIDs and TCP records from detection.1
enterprise T1105 Ingress Tool Transfer Waterbear can receive and load executables from remote C2 servers.1
enterprise T1112 Modify Registry Waterbear has deleted certain values from the Registry to load a malicious DLL.1
enterprise T1106 Native API Waterbear can leverage API functions for execution.1
enterprise T1027 Obfuscated Files or Information Waterbear has used RC4 encrypted shellcode and encrypted functions.1
enterprise T1027.005 Indicator Removal from Tools Waterbear can scramble functions not to be executed again with random values.1
enterprise T1057 Process Discovery Waterbear can identify the process for a specific security product.1
enterprise T1055 Process Injection Waterbear can inject decrypted shellcode into the LanmanServer service.1
enterprise T1055.003 Thread Execution Hijacking Waterbear can use thread injection to inject shellcode into the process of security software.1
enterprise T1012 Query Registry Waterbear can query the Registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\MTxOCI” to see if the value OracleOcilib exists.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Waterbear can find the presence of a specific security software.1
enterprise T1049 System Network Connections Discovery Waterbear can use API hooks on GetExtendedTcpTable to retrieve a table containing a list of TCP endpoints available to the application.1

Groups That Use This Software

ID Name References
G0098 BlackTech 1