Researchers have identified a new Waterbear malware campaign in which Taiwanese government agencies have been targeted by sophisticated attacks.
According to CyCraft researchers, the attacks took place in April 2020, making an interesting reversal, it seems that the group of attackers used malware that already exists on compromised servers - due to previous attacks - in order to develop its campaign.
The gang behind the Waterbear malware had previously been linked to BlackTech, an advanced attack group on cyberspace which generally attacks technology companies and government agencies throughout Taiwan, the Japan and Hong Kong.
Trend Micro researchers say modular malware is mainly used for lateral movement, decryption and payload activation with the loader component. Last year, Waterbear gained interest industry of cyber security after applying the API hooking technique to hide them activities abusing security products.
In the last wave, CyCraft says it took advantage of one vulnerability in a reliable Data Loss Prevention Tool (DLP) for loading Waterbear. The job became easier, as the malware residues from previous ones attacks which had been carried out on themselves targets had not been completely eliminated.
Intruders have been spotted trying to use stolen items credentials to access a targeted network. In some examples, endpoints were still at risk from previous ones attacks, and this was used to gain access to the interior network of the victim and secretly establish a connection with him command-and-control (C2) team server.
A vulnerability in the tool was then used DLP to perform DLL hijacking. As the software failed to verify the integrity of the DLLs it loads, the malicious file started with a high level of privileges.
This DLL then injected shellcode into various Windows system services, allowing the Waterbear loader to develop additional malicious packages.
Another interesting aspect of the loader is the "resurrection" of an old technical protection from viruses, according to researchers. Known as "Heaven's Gate", the wrong direction technique is used to deceive Operating Systems Microsoft Windows for 64-bit code execution, even when declared as a 32-bit process. This, in turn, can be used for bypass security mechanisms and for the shellcode injection.
In August, the CyCraft team told Black Hat USA attendees that a Chinese APT team had "hit" the systems of various Taiwan chipmakers.