Tuesday, October 27, 11:28
Home security Waterbear malware is used in attacks against government services

Waterbear malware is used in attacks against government services

Researchers have identified a new Waterbear malware campaign in which Taiwanese government agencies have been targeted by sophisticated attacks.

According to CyCraft researchers, the attacks took place in April 2020, making an interesting reversal, it seems that the group of attackers used malware that already exists on compromised servers - due to previous attacks - in order to develop its campaign.

The gang behind the Waterbear malware had previously been linked to BlackTech, an advanced attack group on cyberspace which generally attacks technology companies and government agencies throughout Taiwan, the Japan and Hong Kong.

Waterbear malware

Trend Micro researchers say modular malware is mainly used for lateral movement, decryption and payload activation with the loader component. Last year, Waterbear gained interest industry of cyber security after applying the API hooking technique to hide them activities abusing security products.

In the last wave, CyCraft says it took advantage of one vulnerability in a reliable Data Loss Prevention Tool (DLP) for loading Waterbear. The job became easier, as the malware residues from previous ones attacks which had been carried out on themselves targets had not been completely eliminated.

Intruders have been spotted trying to use stolen items credentials to access a targeted network. In some examples, endpoints were still at risk from previous ones attacks, and this was used to gain access to the interior network of the victim and secretly establish a connection with him command-and-control (C2) team server.

A vulnerability in the tool was then used DLP to perform DLL hijacking. As the software failed to verify the integrity of the DLLs it loads, the malicious file started with a high level of privileges.

This DLL then injected shellcode into various Windows system services, allowing the Waterbear loader to develop additional malicious packages.

Another interesting aspect of the loader is the "resurrection" of an old technical protection from viruses, according to researchers. Known as "Heaven's Gate", the wrong direction technique is used to deceive Operating Systems Microsoft Windows for 64-bit code execution, even when declared as a 32-bit process. This, in turn, can be used for bypass security mechanisms and for the shellcode injection.

In August, the CyCraft team told Black Hat USA attendees that a Chinese APT team had "hit" the systems of various Taiwan chipmakers.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehchttps://www.secnews.gr
Be the limited edition.


Data breach at the Sheriff's office in Hennepin

The Sheriff's Office in Hennepin County suffered data breaches, which resulted in the leak of information to about 1400 people.

Play Store: 21 Android apps with adware found

Google removed 15 Android apps from the Play Store over the weekend, according to a report from ...

The new KashmirBlack botnet has infected hundreds of thousands of websites

The new KashmirBlack botnet is believed to have infected hundreds of thousands of websites since November 2019.

FBI: Supports US Cyber ​​Camp for IT training and cybersecurity

The USSR and the FBI are working together to support the US Cyber ​​Camp. This...

US: Sanctions on a Russian institute for the development of Triton malware!

The US Treasury Department announced at the end of last week sanctions for a Russian research institute, which is allegedly involved ...

How to customize notifications for specific emails in Outlook

Your inbox may be flooded with junk emails. Sometimes, though, you really need to know when a particular message will arrive ...

Biomedical cyber attack: Hackers send phishing emails

Biomedical cyber attack: Hackers send phishing emails A cyber attack is underway that targets corporate users from many companies in Greece, with emails ...

How to control the brightness of your iPhone lens

It is probably no surprise to any iPhone owner that they can use the LED flash on the back of your iPhone as ...

Check for Windows 10 updates with these settings

Microsoft has added new settings that allow users to gain more control over how Windows Update ...

Microsoft did a survey and got angry with its results

Microsoft recently commissioned research firm YouGov to conduct a survey of 5.000 users - the questions were about the most general and ...