1. Home
  2. Software
  3. Waterbear

Waterbear

Waterbear is modular malware attributed to BlackTech that has been used primarily for lateral movement, decrypting, and triggering payloads and is capable of hiding network behaviors.[1]

ID: S0579
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 22 February 2021
Last Modified: 25 March 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

Waterbear has the ability to decrypt its RC4 encrypted payload for execution.[1]
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Waterbear has used DLL side loading to import and load a malicious DLL loader.[1]

Enterprise T1562 .006 Impair Defenses: Indicator Blocking

Waterbear can hook the ZwOpenProcess and GetExtendedTcpTable APIs called by the process of a security product to hide PIDs and TCP records from detection.[1]
Enterprise T1105 Ingress Tool Transfer

Waterbear can receive and load executables from remote C2 servers.[1]
Enterprise T1112 Modify Registry

Waterbear has deleted certain values from the Registry to load a malicious DLL.[1]

Enterprise T1106 Native API

Waterbear can leverage API functions for execution.[1]
Enterprise T1027 Obfuscated Files or Information

Waterbear has used RC4 encrypted shellcode and encrypted functions.[1]
.005 Indicator Removal from Tools

Waterbear can scramble functions not to be executed again with random values.[1]
Enterprise T1057 Process Discovery

Waterbear can identify the process for a specific security product.[1]
Enterprise T1055 Process Injection

Waterbear can inject decrypted shellcode into the LanmanServer service.[1]
.003 Thread Execution Hijacking

Waterbear can use thread injection to inject shellcode into the process of security software.[1]
Enterprise T1012 Query Registry

Waterbear can query the Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\MTxOCI" to see if the value OracleOcilib exists.[1]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Waterbear can find the presence of a specific security software.[1]
Enterprise T1049 System Network Connections Discovery

Waterbear can use API hooks on GetExtendedTcpTable to retrieve a table containing a list of TCP endpoints available to the application.[1]

Groups That Use This Software

ID Name References
G0098 BlackTech

[1]

References

  1. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.