Waterbear Malware Now Uses API Hooking to Stay Undetected

Delaware, USA – December 11, 2019 – Waterbear modular malware is a development of cyberespionage group BlackTech and is often used in attacks on technology companies and government agencies in East Asia. Last year the group made the headlines distributing Plead backdoor signed with legitimate code-signing certificates previously stolen from Taiwanese companies: D-LINK and Changing Information Technologies. In the group’s past campaigns, Waterbear was used for lateral movement: to install backdoors which can download and deploy additional tools, but recently Trend Micro experts discovered a new version of malware with interesting features. Waterbear now can use API hooking techniques to hide its network behaviors from a security solution popular in the region of attackers’ choice. The attackers probably studied the security solution in detail to learn which specific APIs to hook. “Since the API hooking shellcode adopts a generic approach, a similar code snippet might be used to target other products in the future and make Waterbear harder to detect,” – researchers reported.

To hide malicious actions, one of the modules hooks two different APIs, namely “ZwOpenProcess” and “GetExtendedTcpTable”, modifies the functions in the memory of the security product process. The payload consists of a two-stage shellcode: “The first-stage shellcode finds a specific security product’s process with a hardcoded name and injects the second-stage shellcode into that process. The second-stage shellcode then performs API hooking inside the targeted process.” You can use APT Framework rule pack available at Threat Detection Marketplace to uncover traces of sophisticated malware activity and signs of cyberattack at any stage of Cyber Kill Chain: https://my.socprime.com/en/integrations/apt-framework