Researchers Discover New Malware From Chinese Hacking Group

Researchers have discovered new "highly malleable, highly sophisticated" malware from a state-backed Chinese hacker group, according to Palo Alto Network's Unit 42 threat intelligence team. From a report: The malware "stands in a class of its own in terms of being one of the most sophisticated, well-engineered and difficult-to-detect samples of shellcode employed by an Advanced Persistent Threat (APT)," according to Unit 42. The malware, which Unit 42 has dubbed "BendyBear," bears some resemblance to the "WaterBear malware family" (hence the bear in the name), which has been associated with BlackTech, a state-linked Chinese cyber spy group, writes Unit 42. Background: BlackTech has been active since at least 2013, according to Symantec researchers. BlackTech has historically focused chiefly on intelligence targets in Taiwan, as well as some in Japan and Hong Kong. The group has targeted both foreign government and private-sector entities, including in "consumer electronics, computer, healthcare, and financial industries," said researchers with Trend Micro. Trend Micro also previously assessed that BlackTech's "campaigns are likely designed to steal their target's technology."

Re:

[Tablizer]

Can you provide reliable evidence of that? It seems to be a Fox meme, but they don't give verifiable evidence, just editorial "guesses" about Joe's internal motivation.

It's not Joe's style to call leaders names & throw personal insults, unlike Don. Joe did say Xi "doesn't have a democratic bone in his body" (lower-case "d"). Perhaps conservatives now expect name calling to "prove" one is an advisory? The WWE approach is just not our style, and is not effective in practice.

Re:

[Admiral Krunch]

BlackTech has been active since at least 2013, according to Symantec researchers.

We know Obama did nothing about it, 'for reasons'...
But why didn't Trump do anything in his 4 years? And you expect Biden to fix it in 4 weeks?

Not super-advanced

[guruevi]

Looking at some actual technical information instead of the promo for this particular company, it's just a variation of other existing malware and should be easy to detect with modern tools

Transmits payloads in modified RC4-encrypted chunks. This hardens the encryption of the network communication, as a single RC4 key will not decrypt the entire payload.
Attempts to remain hidden from cybersecurity analysis by explicitly checking its environment for signs of debugging.
Leverages existing Windows registry key that is enabled by default in Windows 10 to store configuration data.
Clears the host’s DNS cache every time it attempts to connect to its C2 server, thereby requiring that the host resolve the current IP address for the malicious C2 domain each time.
Generates unique session keys for each connection to the C2 server.
Obscures its connection protocol by connecting to the C2 server over a common port (443), thereby blending in with normal SSL network traffic.
Employs polymorphic code, changing its runtime footprint during code execution to thwart memory analysis and evade signaturing.
Encrypts or decrypts function blocks (code blocks) during runtime, as needed, to evade detection.
Uses position independent code (PIC) to throw off static analysis tools.

Current-gen antivirus tools instantly block everything that isn't whitelisted that uses PIC or modifies its own runtime.

Re:

[functor0]

Current-gen antivirus tools instantly block everything that isn't whitelisted that uses PIC or modifies its own runtime.

What OS are we talking about here? On Linux, PIC is the prevailing standard when building shared libraries so I can't see that having tight controls or you'll need to whitelist practically everything.

Re:

[guruevi]

User space programs in Windows, DLL's are typically position-dependent and ASLR then "patches" the positions. Hence why until Windows 7, Windows was such a broken insecure mess, because you could just 'guess' where a particular exploitable DLL was loaded.

I thought most Linux binaries these days would have compiled (at least on x64) with -fPIE and let the KSM deal with deduplicating pages.

Great Wall

[Midnight Thunder]

At what point does the world put a great wall around China's great wall, just to avoid these problems?

uses spear-phishing emails

[oldgraybeard]

to deliver and install their backdoor. Golly who would have thought about doing that in this day and age.
Why can email lead to the installation of anything on a computer.
Why isn't the basic core functionality isolated, why not just do away with all one click installs.
Force users to do the install process, if they can't get it done that user should not be installing anything anyway.

Re:

[NateFromMich]

to deliver and install their backdoor. Golly who would have thought about doing that in this day and age. Why can email lead to the installation of anything on a computer.

Because there are stupid people out there who are supposed to be the filter preventing that.

Why isn't the basic core functionality isolated, why not just do away with all one click installs. Force users to do the install process, if they can't get it done that user should not be installing anything anyway.

That's a good idea that would barely help.

Re:

[PPH]

Because there are stupid people out there who are supposed to be the filter preventing that.

Stupid people with one button [pinimg.com] that bypasses all the system protection.

Re:

[WoodstockJeff]

There are email programs that make it harder to install attachments, or even "accidentally" load images that are actually malware packages, In some cases, they have other features that are highly appealing.

But... institutions are trying to enforce uniformity, so EVERYONE runs the same, vulnerable software. The college I used to work for decided that pesky third-party email programs were too dangerous, after one of the directors was compromised using the approved software, so it was decided that no one would

Stop the Racism!

[PDiddly]

You cannot use "China" in a potentially negative headline e.g. "China Virus" or "Chinese Hacking Group" because it is racist. Therefore "Researchers Discover New Malware From Chinese Hacking Group" is a racist headline. Although now it is acceptable to use phrases like "UK virus variant" or "South African virus variant" that is only because the UK is white and racist and South Africa was practicing Apartheid so that makes it good to do so. Try changing the headline to Researchers Discover New Malware From

Re:

[Tablizer]

I'm trying to see if a point can be made of all this. So far, nada.

China, the new Russia

[Big Bipper]

I guess that now that Trump's out, we no longer have to blame everything on Russia and Russian, which seemed to be a synonym for 'somebody smarter than us who can do things we don't or can't do'. Now it's China or 'Chinese state backed' and we meekly accept the labels without being shown a shred of actual proof. Thanks to Snowden we have proof that our TLAs can cover their tracks and spoof their malware to look like it comes from someone else, so why do we think that those other nasty people can't do the sa

The Biden Bug

[I75BJC]

Well, Biden is soft on China!
Let's support POTUS Biden by naming this malware after him.
That way, he won't have to wait to die to get a school name after him.
Something Totally Now! And totally within his realm of understanding!

Wrong vector

[GTData]

The attack vector will be mass infiltration of the most widely used open source packages. Contribute for a few years, fork a dying library, make good changes, then put in nefarious code once it gets enough traction. Just taking down a mass used second tier JavaScript library would effectively cost millions of dollars of economic damage around the world. This is already being done by buying a widely downloaded, revenue poor Android app, adding nefarious code and uploading it to the app store. For a large

Your tax dollars at work

[BoFo]

Once we learned, from the Wikileaks Vault 7 release, that the NSA has developed and continues to develop hacking programs that can mimic and implicate third parties, none of these reports are believable. Yes, I'm sure there are hacking groups in Russia and China and no doubt some are linked to their respective governments, but no one spies like the Five Eyes. The US (allied with Australia, the UK, Canada, and New Zealand) does the most snooping and the most hacking. Why do you think our bloated war departme