'Waterbear' Employs API Hooking to Hide Malicious Behavior

Discussion in 'malware problems & news' started by mood, Dec 13, 2019.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    33,336
    'Waterbear' Employs API Hooking to Hide Malicious Behavior
    December 13, 2019
    https://www.securityweek.com/waterbear-employs-api-hooking-hide-malicious-behavior
    Trend Micro: Waterbear is Back, Uses API Hooking to Evade Security Product Detection
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,027
    Location:
    The Netherlands
    But isn't it true that in order to use API hooking, you first need to perform code injection? So if security tools can block this, they can also stop the API hooking part. Or better yet, Windows should it make it harder to perform API hooking, only "trusted" security tools should be able to do this. Similar to how they protected the kernel with PatchGuard.
     
  3. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    33,336
    Waterbear malware used in attack wave against government agencies
    The loader has been launched against a number of Taiwanese government entities
    October 8, 2020

    https://www.zdnet.com/article/waterbear-malware-used-in-attack-wave-against-government-agencies/
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,027
    Location:
    The Netherlands
    I must admit, this seems to be quite tricky malware, would be cool to see which AV could block them. And it even uses a flaw in a popular DLP tool, would be interesing to know which one.

    https://www.comparitech.com/net-admin/data-loss-prevention-tools-software/
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,044
    Location:
    U.S.A.
    Based on IOC hash of first stage backdoor, most AV's detect it at VT. As noted in the TrendMicro detailed analysis if the first stage backdoor is blocked, the attack thereafter is "kaput."
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,027
    Location:
    The Netherlands
    Correct, but would be interesting to which AV could block it in stage 2, purely by behavior blocking.
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,869
    Location:
    Canada
    In the case of Waterbear, I think if the legitimate EXE is stopped from launching the DLL loader, or further along the chain, if the shellcode is prevented from injecting into the svchost.exe process, then the attack should be stopped. I'm guessing, but certainly not sure, that a properly configured HIPS should be able to address both stages along the chain.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.