Waterbear

Malware updated 4 months ago (2024-05-05T09:17:33.666Z)

Download STIX

Preview STIX

WaterBear is a sophisticated form of malware, known for its ability to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. WaterBear uses a 256 RC4 state box with byte shifting and addition within the key scheduling algorithm. Variants of WaterBear implement API hooking, a technique not seen in similar malware like BendyBear. Both WaterBear and BendyBear use a modified RC4 encryption, but their implementations differ slightly. The attack chain and Tactics, Techniques, and Procedures (TTPs) of WaterBear show some distinct characteristics. For instance, anti-memory scanning is a feature inherited from the WaterBear downloader, which encrypts all function blocks (except for the decode routine) with a fixed key defined in configuration. There are differences between the WaterBear downloader and other downloaders such as Deuterbear. Some WaterBear downloaders have been observed using command-and-control (C&C) servers with internal IP addresses, an unusual tactic that adds another layer of obfuscation. For a more comprehensive view of WaterBear's past activities, please refer to the 2019 report by Trend Micro. The latest iteration of WaterBear, known as Deuterbear, exhibits even more advanced techniques, demonstrating the continuous evolution of this malware. This report will delve into the latest techniques Earth Hundun has implemented with WaterBear and provide an analysis of Deuterbear.

Description last updated: 2024-05-05T08:37:02.632Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
PLEAD	2	The PLEAD malware is a malicious software that was discovered by ESET researchers in 2019 to be utilized by the Chinese APT group known as BlackTech. The group was found to be performing Man-in-the-Middle (MitM) attacks through compromised ASUS routers and delivering the PLEAD malware through ASUS W
Fakedead	2	FakeDead, also known as TSCookie, is a potent malware that has been linked to a series of backdoors including BendyBear, BIFROSE (or Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (also known as DBGPRINT). This malicious software infiltrates systems typically through suspicious downloads, ema

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Backdoor

Loader

Downloader

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
BendyBear	Unspecified	3	BendyBear is a sophisticated x64 shellcode malware that requires loader or code injection for deployment. It contains advanced features not typically found in shellcode, making it a potent threat to computer systems. BendyBear, along with other specific malware strains such as Bifrose, SpiderPig, an

Source Document References

Information about the Waterbear Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Trend Micro	4 months ago	Tracking the Progression of Earth Hundun's Cyberespionage Campaign in 2024
Trend Micro	5 months ago	Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear
DARKReading	5 months ago	How Soccer's 2022 World Cup in Qatar Was Nearly Hacked
CERT-EU	a year ago	Government-sponsored Chinese hackers are "hiding" inside Cisco routers
CERT-EU	a year ago	China's BlackTech Hacking Group Exploited Routers to Target U.S. and Japanese Companies
Securityaffairs	a year ago	China-linked APT BlackTech was spotted hiding in Cisco router firmware
MITRE	2 years ago	The Trail of BlackTech’s Cyber Espionage Campaigns
MITRE	2 years ago	BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech
MITRE	2 years ago	Waterbear Returns, Uses API Hooking to Evade Security