Track Common Adversary Tasks Performed Using BendyBear

 



To know more about it, you can go through my detailed document by clicking here








Overview

BendyBear, an x64 shellcode used for a stage-zero implant that's designed to download malware from a C2 server, was first detected in 2020 and also shares some of its features with Waterbear.

Capabilities

Some of the important capabilities of BendyBear are:
  • It can easily transmit payloads into modified RC4-encrypted chunks because one RC4 key can't decrypt the entire payload. 

  • It's very difficult to detect as it can perfectly hide from cybersecurity by checking its environment for signs of debugging.

  • It can clear the host's DNS cache whenever it tries to communicate with C2 server, hence, resolving the current IP address of the malicious C2 domain every time.

  • Exclusive session keys are generated for every C2 server connection.

  • As it uses polymorphic code, it can completely change its runtime footprint during code execution in order to thwart memory analysis and avoid sign signaturing.

  • It regularly encrypt or decrypt function blocks as required to avoid detection.

  • It makes use of Position Independent Code (PIC) to throw off static analysis tools.

Prevention

The following measures might help in mitigating the cyber threat:
  • Regularly review as well as update the existing security rulesets. 
  • Block unknown outbound TCP traffic in security policies whenever required.
  • Always update the software and mitigate any identified vulenarbilities.
  • You can also enhance perimeter and endpoint defense with the help of the techniques like whitelisting, behavior analysis, and sandboxing via advanced endpoint & network security solutions.







To know more about it, you can go through my detailed document by clicking here









































Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)