BendyBear

Description

(Palo Alto) The BendyBear sample was determined to be x64 shellcode for a stage-zero implant whose sole function is to download a more robust implant from a command and control (C2) server. Shellcode, despite its name, is used to describe the small piece of code loaded onto the target immediately following exploitation, regardless of whether or not it actually spawns a command shell. At 10,000+ bytes, BendyBear is noticeably larger than most, and uses its size to implement advanced features and anti-analysis techniques, such as modified RC4 encryption, signature block verification, and polymorphic code.

Names

Name
BendyBear
Waterbear
Deuterbear

Type

Backdoor

Information

https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/
https://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html

Mitre Attack

https://attack.mitre.org/software/S0574/

Playbook

https://pan-unit42.github.io/playbook_viewer/?pb=bendybear

Other Information

Uuid

8a45f278-6be3-4157-896d-9af9ec672f29

Last Card Change

2024-04-22

Threat Intelligence Garden

Explorer

BendyBear

BendyBear

Description

Names

Category

Type

Information

Mitre Attack

Playbook

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks