BlackTech: The cyber-espionage group BlackTech has been associated with the Waterbear malware for many years, targeting countries in East Asia. In the previous campaigns carried out by the group, they primarily used Waterbear for lateral movement across networks and decrypting and triggering payloads with its loader component. In the most recent campaign, Waterbear has been using API hooking as its newest technique to aid in evading detection by traditional security products, including anti-virus. The report from Trend Micro outlining this newest feature stated that the security vendor is APAC-based, which aligns with previously targeted companies of the group. BlackTech knows which API to hook in this campaign which makes it possible that they have knowledge of how certain security products gather information on their client’s networks and endpoints. The code that is used in Waterbear for API hooking takes a generic approach, making it easier for the group to customize the Waterbear API hooking feature based on their target.
Analyst Notes
This is the first time Waterbear has been seen trying to hide its backdoor capabilities. The hardcoded product name leads researchers to the assumption that the attackers are knowledgeable about the network that is being targeted and how the security products work on that particular network and because of this, Waterbear is harder to detect now as opposed to previous campaigns. API hooking is a standard tactic used by threat actors to evade anti-virus products around the industry. Companies can combat this type of attack by utilizing behavior-based detection products such as Binary Defense Managed Detection and Response. Companies should also conduct routine scans and manually search through networks to ensure malware such as this is not persisting on their network.
For more details about Waterbear: https://blog.trendmicro.com/trendlabs-security-intelligence/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection/
