Waterbear is Back, Uses API Hooking to Evade Security Product Detection

Waterbear is Back, Uses API Hooking to Evade Security Product Detection (Dec 11, 2019)

Researchers at Trend Micro have observed a new Waterbear campaign that utilizes new evasion capability employing API hooking techniques allowing malicious activities to go undetected by security products. Waterbear, a campaign that is characterized by the use of modular malware and the ability to add and change functionality remotely, has been around for years and has been associated with “BlackTech,” a cyberespionage group that mainly targets technology companies and government agencies in East Asia. According to Trend Micro, the use of API hooking has been implemented to hide network behavior from a specific, unidentified security vendor based in the APAC region, commonly utilized within BlackTech-targeted countries. The researchers highlight that this is the first instance of Waterbear observed attempting to hide backdoor activities, and conclude that the threat actors behind the campaign are “knowledgeable of the victims’ environment and which security products they use.”

Recommendation: Targeted attacks such as these are evasive and highly professional. Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Also, it is important to know and understand the limitations of security vendor services used in your network.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.