'Waterbear' Employs API Hooking to Hide Malicious Behavior

Discussion in 'malware problems & news' started by mood, Dec 13, 2019.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    38,090
    'Waterbear' Employs API Hooking to Hide Malicious Behavior
    December 13, 2019
    https://www.securityweek.com/waterbear-employs-api-hooking-hide-malicious-behavior
    Trend Micro: Waterbear is Back, Uses API Hooking to Evade Security Product Detection
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,095
    Location:
    The Netherlands
    But isn't it true that in order to use API hooking, you first need to perform code injection? So if security tools can block this, they can also stop the API hooking part. Or better yet, Windows should it make it harder to perform API hooking, only "trusted" security tools should be able to do this. Similar to how they protected the kernel with PatchGuard.
     
  3. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    38,090
    Waterbear malware used in attack wave against government agencies
    The loader has been launched against a number of Taiwanese government entities
    October 8, 2020

    https://www.zdnet.com/article/waterbear-malware-used-in-attack-wave-against-government-agencies/
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,095
    Location:
    The Netherlands
    I must admit, this seems to be quite tricky malware, would be cool to see which AV could block them. And it even uses a flaw in a popular DLP tool, would be interesing to know which one.

    https://www.comparitech.com/net-admin/data-loss-prevention-tools-software/
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,378
    Location:
    U.S.A.
    Based on IOC hash of first stage backdoor, most AV's detect it at VT. As noted in the TrendMicro detailed analysis if the first stage backdoor is blocked, the attack thereafter is "kaput."
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,095
    Location:
    The Netherlands
    Correct, but would be interesting to which AV could block it in stage 2, purely by behavior blocking.
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,216
    Location:
    Canada
    In the case of Waterbear, I think if the legitimate EXE is stopped from launching the DLL loader, or further along the chain, if the shellcode is prevented from injecting into the svchost.exe process, then the attack should be stopped. I'm guessing, but certainly not sure, that a properly configured HIPS should be able to address both stages along the chain.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,095
    Location:
    The Netherlands
    Well, the most dangerous part seems to be the DLL hijacking trick, because that's how svchost.exe is infected, it's not done by direct code injection. Strangely enough not a lot of security tools are monitoring this. Online Armor did do this in the past, but currently only HMPA monitors this.
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,216
    Location:
    Canada
    if you are referring to the "Phantom DLL hijacking" that occurs near the very beginning of the infection chain, then that should easily be stopped by a HIPS, because - assuming I properly understand what's going on in the infection chain - it's a legitimate .EXE (LOLBin, I guess??) attempting to launch it.

    https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html

    Note: I took the link from post #1 in this thread.

    BTW, I do have monitoring of "interprocess memory access" enabled for svchost.exe in my setup. This monitors against outside processes attempting to modify svchost's memory space.

    EDIT:

    actually I have that setting enabled for all LOLBins I could find, taken from the list at:

    https://github.com/api0cradle/LOLBAS/blob/master/LOLBins.md
     
    Last edited: Oct 24, 2020
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,095
    Location:
    The Netherlands
    I also didn't understand everything, but if it's launched by a LOLBin then yes it should be stopped. However, I don't believe that monitoring "interprocess memory access" will protect against DLL Hijacking, because it's not "direct" code injection.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.