BendyBear

Malware updated 23 days ago (2024-11-29T14:03:50.252Z)
Download STIX
Preview STIX
BendyBear is a sophisticated x64 shellcode malware that requires loader or code injection for deployment. It contains advanced features not typically found in shellcode, making it a potent threat to computer systems. BendyBear, along with other specific malware strains such as Bifrose, SpiderPig, and WaterBear, has been used to target various operating systems including Windows, Linux, and FreeBSD. The threat actor behind these attacks uses custom, regularly updated malware and remote access trojans like BendyBear, FakeDead, and FlagPro, employing dual-use tools and living-off-the-land tactics, such as disabling logging on routers, to conceal their operations. In comparison to other malwares like WaterBear, BendyBear does not implement API hooking, a technique used by malware to alter the behavior of APIs, thus evading detection. Both BendyBear and WaterBear use a modified RC4 encryption, however, they implement it slightly differently. Unlike WaterBear, which can filter or hide network traffic and processes via API hooking, BendyBear does not support this capability, indicating different operational strategies between the two malwares. The advisory has attributed a wide range of backdoors to BendyBear, including BIFROSE (aka Bifrost), Consock, KIVARS, PLEAD, TSCookie (aka FakeDead), XBOW, and WaterBear (aka DBGPRINT). Custom malware families used by the group include BendyBear, Bifrose, BTSDoor, FakeDead (a.k.a. TSCookie), FlagPro, FrontShell (FakeDead’s downloader module), IconDown, PLEAD, SpiderPig, SpiderSpring, SpiderStack, WaterBear. The group also utilizes Windows utilities for its own purposes - a technique known as "living off the land."
Description last updated: 2024-05-05T05:19:11.371Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Fakedead is a possible alias for BendyBear. FakeDead, also known as TSCookie, is a potent malware that has been linked to a series of backdoors including BendyBear, BIFROSE (or Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (also known as DBGPRINT). This malicious software infiltrates systems typically through suspicious downloads, ema
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Waterbear Malware is associated with BendyBear. WaterBear is a sophisticated form of malware, known for its ability to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or hold data hostagUnspecified
3
The TSCookie Malware is associated with BendyBear. TSCookie is a malware that has been associated with various backdoors such as BendyBear, BIFROSE (Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (DBGPRINT). It's also known as FakeDead and is used in conjunction with other tools like BendyBear and Flagpro by BlackTech, an advanced persistent Unspecified
2
The Flagpro Malware is associated with BendyBear. Flagpro is a malicious software (malware) used by threat actors to exploit and damage computer systems. The malware was first observed in attacks against Japan in October 2020, with new versions using the Microsoft Foundation Class (MFC) library identified by Security Operations Centers (SOCs) in JuUnspecified
2
Source Document References
Information about the BendyBear Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more