Security researchers have disclosed details of a recent Waterbear malware campaign targeting Taiwanese government agencies.
According to CyCraft’s report, the campaign, which took place in April 2020, made use of already compromised systems infected with malware - due to past attacks - to deploy the Waterbear Loader malware.
In the latest campaign the threat actor behind Waterbear exploited a vulnerability in a data loss prevention (DLP) software in order to trigger malware and maintain persistence.
To stay hidden from security solutions the malware used a variety of techniques, including:
-
DLL hijacking to stealthily trigger next stage malware
-
Enlarging binary size to bypass scanning protocols
-
Heaven’s Gate to avoid antivirus detection
-
Forcing DLLs to unload to obfuscate malware
-
Padding memory with Kernel32 content to confuse analyses
The first phase of the attack involved hackers compromising a victim machine to gather admin credentials, which then were used to gain access to a web server via RDP. The hackers then used the compromised web server to spread malware.
Another interesting finding is that the attackers “resurrected” an old antivirus evasion technique known as Heaven’s Gate.
“In this particular case, the attackers applied Heaven’s Gate to inject shellcode into the 64-bit system service from 32-bit WoW64. Just as 64-bit and 32-bit programs are quite different, so are analysis mechanisms. Malware equipped with Heaven’s Gate contains both 64-bit and 32-bit parts. Therefore, some monitor/analysis systems will only apply 32-bit analysis and will fail the 64-bit part; thus, this approach will break some monitor/analysis mechanisms,” the researchers explained.
The Waterbear malware has been previously attributed to the cyber espionage group named BlackTech, which mainly targets technology companies and government agencies in East Asia (specifically Taiwan, and in some instances, Japan and Hong Kong) and is responsible for some infamous campaigns such as PLEAD and Shrouded Crossbow. According to a previous report by Trend Micro, the malware is mainly being used for lateral movement, decrypting and triggering payloads (backdoors that can receive and load additional modules) with its loader component.