'Waterbear' Employs API Hooking to Hide Malicious Behavior December 13, 2019 https://www.securityweek.com/waterbear-employs-api-hooking-hide-malicious-behavior Trend Micro: Waterbear is Back, Uses API Hooking to Evade Security Product Detection
But isn't it true that in order to use API hooking, you first need to perform code injection? So if security tools can block this, they can also stop the API hooking part. Or better yet, Windows should it make it harder to perform API hooking, only "trusted" security tools should be able to do this. Similar to how they protected the kernel with PatchGuard.
Waterbear malware used in attack wave against government agencies The loader has been launched against a number of Taiwanese government entities October 8, 2020 https://www.zdnet.com/article/waterbear-malware-used-in-attack-wave-against-government-agencies/
I must admit, this seems to be quite tricky malware, would be cool to see which AV could block them. And it even uses a flaw in a popular DLP tool, would be interesing to know which one. https://www.comparitech.com/net-admin/data-loss-prevention-tools-software/
Based on IOC hash of first stage backdoor, most AV's detect it at VT. As noted in the TrendMicro detailed analysis if the first stage backdoor is blocked, the attack thereafter is "kaput."
Correct, but would be interesting to which AV could block it in stage 2, purely by behavior blocking.
In the case of Waterbear, I think if the legitimate EXE is stopped from launching the DLL loader, or further along the chain, if the shellcode is prevented from injecting into the svchost.exe process, then the attack should be stopped. I'm guessing, but certainly not sure, that a properly configured HIPS should be able to address both stages along the chain.
Well, the most dangerous part seems to be the DLL hijacking trick, because that's how svchost.exe is infected, it's not done by direct code injection. Strangely enough not a lot of security tools are monitoring this. Online Armor did do this in the past, but currently only HMPA monitors this.
if you are referring to the "Phantom DLL hijacking" that occurs near the very beginning of the infection chain, then that should easily be stopped by a HIPS, because - assuming I properly understand what's going on in the infection chain - it's a legitimate .EXE (LOLBin, I guess??) attempting to launch it. https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html Note: I took the link from post #1 in this thread. BTW, I do have monitoring of "interprocess memory access" enabled for svchost.exe in my setup. This monitors against outside processes attempting to modify svchost's memory space. EDIT: actually I have that setting enabled for all LOLBins I could find, taken from the list at: https://github.com/api0cradle/LOLBAS/blob/master/LOLBins.md
I also didn't understand everything, but if it's launched by a LOLBin then yes it should be stopped. However, I don't believe that monitoring "interprocess memory access" will protect against DLL Hijacking, because it's not "direct" code injection.
