The long-standing Waterbear campaign has returned with new evasion capabilities, employing API hooking techniques to hide its network behavior from security products, Trend Micro reports.
Waterbear has been associated with the BlackTech cyberespionage group, which ESET observed earlier this year abusing an ASUS update process to deliver malware. Waterbear is mainly characterized by the use of modular malware and the ability to add functionality remotely.
A new Waterbear campaign, Trend Micro’s security researchers explain, has revealed the use of API hooking to hide network behavior from a specific security vendor that is based in the APAC region, in line with BlackTech’s targeted countries.
The use of this technique shows that the attackers are familiar with how certain security products harvest information and also suggests that the technique might be used to target other products as well in the future.
Waterbear uses a DLL loader to decrypt and execute an RC4-encrypted payload that normally is a first-stage backdoor that can fetch and run other payloads. These backdoors either connect to a command and control (C&C) server or listen to a specific port.
In some attacks, the hardcoded file paths of the encrypted payloads suggest that the attackers have knowledge of their targets’ environments and Trend Micro believes that Waterbear might be used to maintain presence after gaining access to the targets’ systems.
Two different DLL loader triggers were observed in Waterbear infections, one altering a legitimate server application to import and load the loader, and another employing phantom DLL hijacking and DLL side loading.
After execution, the Waterbear DLL loader searches for a ha ..
Support the originator by clicking the read the rest link below.
