- This topic is empty.
-
Posts
-
-
#Discussion(Security) [ via IoTGroup ]
The malware, which Unit 42 has dubbed “BendyBear,” bears some resemblance to the “WaterBear malware family” (hence the bear in the name), which has been associated with BlackTech, a state-linked Chinese cyber spy group, writes Unit 42.
The BendyBear sample was determined to be x64 shellcode for a stage-zero implant whose sole function is to download a more robust implant from a command and control (C2) server.
Highlighted in neon green are the two, 16-byte keys used for XORing values throughout the shellcode.
The stager begins by computing 10 bytes of data to send to the C2 server.
The stager computes a 10-byte challenge request containing information for the C2, to include the size of the data (being the session keys) to be received next.
The last four bytes of the decrypted request packet inform the C2 server of the size of the expected network traffic to follow.
These 32 bytes make up the session keys used by the C2 server to encrypt a server challenge response and encrypt the payload.
The C2 uses the session keys to build the RC4 state box and as an XOR key for encryption and decryption.2. Using the computed pre-session key from step 1, the C2 server builds the RC4 Key Scheduling Algorithm (KSA).
a. XOR 10-byte server challenge with key 0x33836E6B3FAA6AC464DA and perform the following:c. Send the updated 10-byte command header to the stager.
Attributes WaterBear BendyBear File Type EXE DLL Shellcode Implant Type Stage-2 Stage-0 Modified RC4 Additional Encryption UNKNOWN Extra XOR Computations 16-Byte XOR keys AuthenticatedC2 Communications Signature Verification Magic Bytes 1F 40 1F 43 1F 40 1F 43 Chunked Payloads Polymorphic Code In-Memory Loading PEB Debugger Check Pattern Elimination Encrypt
Read More..
AutoTextExtraction by Working BoT using SmartNews 1.03976805238 Build 04 April 2020
-
- You must be logged in to reply to this topic.
