(Palo Alto) The BendyBear sample was determined to be x64 shellcode for a stage-zero implant whose sole function is to download a more robust implant from a command and control (C2) server. Shellcode, despite its name, is used to describe the small piece of code loaded onto the target immediately following exploitation, regardless of whether or not it actually spawns a command shell. At 10,000+ bytes, BendyBear is noticeably larger than most, and uses its size to implement advanced features and anti-analysis techniques, such as modified RC4 encryption, signature block verification, and polymorphic code.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
Tool: BendyBear
Names: BendyBear
Description: (Palo Alto) The BendyBear sample was determined to be x64 shellcode for a stage-zero implant whose sole function is to download a more robust implant from a command and control (C2) server. Shellcode, despite its name, is used to describe the small piece of code loaded onto the target immediately following exploitation, regardless of whether or not it actually spawns a command shell. At 10,000+ bytes, BendyBear is noticeably larger than most, and uses its size to implement advanced features and anti-analysis techniques, such as modified RC4 encryption, signature block verification, and polymorphic code.
Category: Malware
Type: Backdoor
Information: https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/
Mitre-attack: https://attack.mitre.org/software/S0574/
Playbook: https://pan-unit42.github.io/playbook_viewer/?pb=bendybear
Last-card-change: 2022-12-30
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1106 NATIVE API bendybear can load and execute modules and windows application programming (api) calls using standard shellcode api hashing. | T1140 DEOBFUSCATE/DECODE FILES OR INFORMATION bendybear has decrypted function blocks using a xor key during runtime to evade detection. T1497.003 VIRTUALIZATION/SANDBOX EVASION : TIME BASED EVASION bendybear can check for analysis environments and signs of debugging using the windows api kernel32!gettickcountkernel32 call. | T1012 QUERY REGISTRY bendybear can query the host's registry key at hkey_current_user\console\quickedit to retrieve data. T1497.003 VIRTUALIZATION/SANDBOX EVASION : TIME BASED EVASION bendybear can check for analysis environments and signs of debugging using the windows api kernel32!gettickcountkernel32 call. | T1573.001 ENCRYPTED CHANNEL : SYMMETRIC CRYPTOGRAPHY bendybear communicates to a c2 server over port 443 using modified rc4 and xor-encrypted chunks. T1571 NON-STANDARD PORT bendybear has used a custom rc4 and xor encrypted protocol over port 443 for c2. |