‘Waterbear’ Employs API Hooking to Hide Malicious Behavior
The long-standing Waterbear campaign has returned with new evasion capabilities, employing API hooking techniques to hide its network behavior from security products, Trend Micro reports.
Waterbear has been associated with the BlackTech cyberespionage group, which ESET observed earlier this year abusing an ASUS update process to deliver malware. Waterbear is mainly characterized by the use of modular malware and the ability to add functionality remotely.
A new Waterbear campaign, Trend Micro’s security researchers explain, has revealed the use of API hooking to hide network behavior from a specific security vendor that is based in the APAC region, in line with BlackTech’s targeted countries.
The use of this technique shows that the attackers are familiar with how certain security products harvest information and also suggests that the technique might be used to target other products as well in the future.
Waterbear uses a DLL loader to decrypt and execute an RC4-encrypted payload that normally is a first-stage backdoor that can fetch and run other payloads. These backdoors either connect to a command and control (C&C) server or listen to a specific port.
In some attacks, the hardcoded file paths of the encrypted payloads suggest that the attackers have knowledge of their targets’ environments and Trend Micro believes that Waterbear might be used to maintain presence after gaining access to the targets’ systems.
Two different DLL loader triggers were observed in Waterbear infections, one altering a legitimate server application to import and load the loader, and another employing phantom DLL hijacking and DLL side loading.
After execution, the Waterbear DLL loader searches for a hardcoded path and attempts to decrypt the corresponding payload, a piece of encrypted shellcode that is then injected into a legitimate Windows service — LanmanServer, which is run by svchost.exe.
The payload encrypts its function blocks before executing the malicious routine to avoid in-memory scanning. It then decrypts functions as it needs them, and then encrypts them back. Functions that are not used in the rest of the execution are scrambled by another mess-up function.
In a recent attack, two payloads were loaded, including one to inject code into a specific security product and hide the backdoor, a technique new to Waterbear. The other payload was the typical first-stage backdoor associated with the threat.
Both encrypted and stored on the disk, the payloads were injected into the same service. The loader would terminate the infection if it didn’t find the first payload or if the executable from the security product was not found. If loaded, the second backdoor is executed even if the API hooking was not performed.
To hide the behavior of the first-stage backdoor, two different APIs are hooked. The payload modifies the functions in the memory of the security product process and does not disable the functions, which results in the targeted security product working normally, thus making detection more difficult.
“This is the first time we’ve seen Waterbear attempting to hide its backdoor activities. By the hardcoded product name, we infer that the attackers are knowledgeable of the victims’ environment and which security product(s) they use. The attackers might also be familiar with how security products gather information on their clients’ endpoints and networks, so that they know which APIs to hook,” Trend Micro concludes.