Waterbear

Malware updated 6 months ago (2024-05-05T09:17:33.666Z)
Download STIX
Preview STIX
WaterBear is a sophisticated form of malware, known for its ability to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. WaterBear uses a 256 RC4 state box with byte shifting and addition within the key scheduling algorithm. Variants of WaterBear implement API hooking, a technique not seen in similar malware like BendyBear. Both WaterBear and BendyBear use a modified RC4 encryption, but their implementations differ slightly. The attack chain and Tactics, Techniques, and Procedures (TTPs) of WaterBear show some distinct characteristics. For instance, anti-memory scanning is a feature inherited from the WaterBear downloader, which encrypts all function blocks (except for the decode routine) with a fixed key defined in configuration. There are differences between the WaterBear downloader and other downloaders such as Deuterbear. Some WaterBear downloaders have been observed using command-and-control (C&C) servers with internal IP addresses, an unusual tactic that adds another layer of obfuscation. For a more comprehensive view of WaterBear's past activities, please refer to the 2019 report by Trend Micro. The latest iteration of WaterBear, known as Deuterbear, exhibits even more advanced techniques, demonstrating the continuous evolution of this malware. This report will delve into the latest techniques Earth Hundun has implemented with WaterBear and provide an analysis of Deuterbear.
Description last updated: 2024-05-05T08:37:02.632Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
PLEAD is a possible alias for Waterbear. PLEAD is a sophisticated malware, suspected to be associated with the Chinese APT group known as BlackTech. First observed in the wild in 2015, it was discovered by ESET researchers in 2019 that BlackTech was using compromised ASUS routers to perform Man-in-the-Middle (MitM) attacks and deliver the
2
Fakedead is a possible alias for Waterbear. FakeDead, also known as TSCookie, is a potent malware that has been linked to a series of backdoors including BendyBear, BIFROSE (or Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (also known as DBGPRINT). This malicious software infiltrates systems typically through suspicious downloads, ema
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Loader
Downloader
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The BendyBear Malware is associated with Waterbear. BendyBear is a sophisticated x64 shellcode malware that requires loader or code injection for deployment. It contains advanced features not typically found in shellcode, making it a potent threat to computer systems. BendyBear, along with other specific malware strains such as Bifrose, SpiderPig, anUnspecified
3