BendyBear

Malware updated 7 months ago (2024-05-05T06:17:34.562Z)

Download STIX

Preview STIX

BendyBear is a sophisticated x64 shellcode malware that requires loader or code injection for deployment. It contains advanced features not typically found in shellcode, making it a potent threat to computer systems. BendyBear, along with other specific malware strains such as Bifrose, SpiderPig, and WaterBear, has been used to target various operating systems including Windows, Linux, and FreeBSD. The threat actor behind these attacks uses custom, regularly updated malware and remote access trojans like BendyBear, FakeDead, and FlagPro, employing dual-use tools and living-off-the-land tactics, such as disabling logging on routers, to conceal their operations. In comparison to other malwares like WaterBear, BendyBear does not implement API hooking, a technique used by malware to alter the behavior of APIs, thus evading detection. Both BendyBear and WaterBear use a modified RC4 encryption, however, they implement it slightly differently. Unlike WaterBear, which can filter or hide network traffic and processes via API hooking, BendyBear does not support this capability, indicating different operational strategies between the two malwares. The advisory has attributed a wide range of backdoors to BendyBear, including BIFROSE (aka Bifrost), Consock, KIVARS, PLEAD, TSCookie (aka FakeDead), XBOW, and WaterBear (aka DBGPRINT). Custom malware families used by the group include BendyBear, Bifrose, BTSDoor, FakeDead (a.k.a. TSCookie), FlagPro, FrontShell (FakeDead’s downloader module), IconDown, PLEAD, SpiderPig, SpiderSpring, SpiderStack, WaterBear. The group also utilizes Windows utilities for its own purposes - a technique known as "living off the land."

Description last updated: 2024-05-05T05:19:11.371Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Fakedead is a possible alias for BendyBear. FakeDead, also known as TSCookie, is a potent malware that has been linked to a series of backdoors including BendyBear, BIFROSE (or Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (also known as DBGPRINT). This malicious software infiltrates systems typically through suspicious downloads, ema	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Waterbear Malware is associated with BendyBear. WaterBear is a sophisticated form of malware, known for its ability to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or hold data hostag	Unspecified	3
The TSCookie Malware is associated with BendyBear. TSCookie is a malware that has been associated with various backdoors such as BendyBear, BIFROSE (Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (DBGPRINT). It's also known as FakeDead and is used in conjunction with other tools like BendyBear and Flagpro by BlackTech, an advanced persistent	Unspecified	2
The Flagpro Malware is associated with BendyBear. Flagpro is a malicious software (malware) used by threat actors to exploit and damage computer systems. The malware was first observed in attacks against Japan in October 2020, with new versions using the Microsoft Foundation Class (MFC) library identified by Security Operations Centers (SOCs) in Ju	Unspecified	2

Source Document References

Information about the BendyBear Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Government-sponsored Chinese hackers are "hiding" inside Cisco routers
CERT-EU	a year ago	Chinese 'BlackTech' hackers backdoor Cisco routers to breach orgs in the US, Japan
CERT-EU	a year ago	China's BlackTech Hacking Group Exploited Routers to Target U.S. and Japanese Companies
Securityaffairs	a year ago	China-linked APT BlackTech was spotted hiding in Cisco router firmware
BankInfoSecurity	a year ago	Chinese Hackers Target Routers in IP Theft Campaign
MITRE	2 years ago	BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech