Cybersecurity firms are scrambling to update their tools after revelations that governments and businesses may already have been targeted by BendyBear, a complex piece of stealthy malware that has been attributed to Chinese hackers and called “one of the most sophisticated cyber espionage tools seen to date”.

Unit 42, the threat-intelligence division of security vendor Palo Alto Networks, raised the alarm and published its analysis of an advanced persistent threat (APT) that it calls “novel Chinese shellcode linked with cyber espionage group BlackTech”.

Shellcode is low-level programming code loaded directly into the memory of 64-bit computers, and BendyBear’s “highly malleable, highly sophisticated” design – which allowing it to operate in what Unit 42 called “extreme stealth” – comprises just over 10KB of complex code.

That size makes the exploit “noticeably larger than most”, the researchers said, reflecting added refinements such as a modified RC4 encryption technique that encrypts data in chunks – making it extremely difficult to detect communications between an infected system and the ‘command and control’ server that directs it.

BendyBear also seeds its communications amongst normal web-browsing data sent via a commonly-used data channel; watches infected systems to see if they’re being scanned; and uses polymorphic code techniques to continually modify itself, preventing security scanners from detecting its telltale signature or activities.

Because the malware loads itself directly into the target system’s memory, it doesn’t leave any footprints on the system’s storage, where conventional scanners might otherwise spot its tracks.

This evasive and flexible design makes BendyBear “extremely difficult to detect”, leading Unit 42 researchers to conclude that it “stands in a class of its own in terms of being one of the most sophisticated, well-engineered and difficult-to-detect” shellcode samples seen to date.

Nation-state hackers “having some fun”

BendyBear’s discovery validates concerns that nation-state actors actively exploited the chaos of the COVID-19 pandemic, with 87 per cent of respondents to a recent CrowdStrike survey agreeing that nation-state sponsored cyber-attacks are “far more common than people think”.

Fully 73 per cent believe nation-state sponsored cyber attacks will “pose the single biggest threat” to organisations like theirs in 2021 – with 47 per cent believing the attackers would be looking to take advantage of vulnerabilities caused by COVID-19, and 44 per cent anticipating attacks motivated by intelligence gathering.

BendyBear’s malleability reminded investigators of WaterBear – a decade-old malware platform attributed to Chinese government-linked hacking group BlackTech, which has been observed running cyber espionage campaigns against government and corporate targets in East Asian countries like Taiwan, Japan, and Hong Kong.

WaterBear – which emerged in a new form late in 2019 – uses similar shape-shifting techniques to propagate across infected company networks.

Once inside and latched on – much like its microscopic namesakes do in the real world – the WaterBear APT opens up direct channels that attackers can use to install specific modules designed to steal company data, monitor communications, compromise critical systems, or other behaviours.

BendyBear takes this behaviour to new extremes – leading the Unit 42 team to share details of the new attack’s telltale indicators of compromise (IoCs) with “government and industry partners”, including members of the Cyber Threat Alliance, to help them update their software for customers that could already be infected by the malicious code.

The prevalence of low-and-slow APT attacks – the recent Russia-linked SolarWinds compromise avoided detection for many months – highlights growing use of increasingly sophisticated techniques by nation-state actors that have been, Accenture ANZ security lead and security practice managing director Joseph Failla told Information Age, “having some fun” during the COVID-19 pandemic.

“The threat landscape changed overnight,” he explained, “and this caught a lot of people off guard because [the threat landscape] was pretty dynamic” during 2020.

“The pandemic helped [cybercriminals] a lot, both with a lot more vulnerabilities and because they decided ‘let’s go and see what we can take related to COVID’.”

Last year saw Russian hackers attack the Tokyo Olympics and steal COVID-19 research data, Iran attack World Health Organisation staff, and even Chinese attacks on the Western Australian premier as part of a broader campaign of China-led compromise.

Partnerships between nation-state actors and more conventional cybercriminals are making APTs more dangerous and more effective, Failla added.

“When nation states want to do something different, they’ll go and play with some of the criminal elements,” he explained.

“That’s why typical APT players are around, ransomware has been going off the boil, and criminals have been having some fun.”