BendyBear malware is ‘exceptionally difficult to detect’

9 Feb 2021

Image: © photolas/

Palo Alto Networks has released new research on what it believes to be one of the most sophisticated pieces of Chinese malware to date.

Today (9 February) the Palo Alto Networks threat intelligence team, Unit 42, released new research on a “highly sophisticated” piece of malware.

BendyBear is said to be a variant of WaterBear, a campaign that uses modular malware and has been active since 2009. According to previous analysis by Trend Micro, WaterBear is a multifaceted implant capable of file transfer, shell access, screen capture and much more.

The malware is associated with BlackTech, a cyberespionage group that mainly targets technology companies and government agencies in east Asia.

According to Unit 42, BendyBear is “one of the most sophisticated pieces of Chinese malware discovered to date”. It is able to evade detection by constantly changing its appearance and using a modified encryption algorithm.

The research team found that BendyBear loads payloads directly into memory and not on a disk. This means it doesn’t leave behind traditional fingerprints for threat researchers and security products to find, making it “exceptionally difficult to detect”.

The malware has other means of avoiding detection, including by explicitly checking its environment for signs of debugging, using position-independent code to throw off static analysis tools, and generating unique session keys for each connection to the command-and-control (C2) server.

The team reported that the malware is “highly malleable and highly sophisticated” with more than 10,000 bytes of machine code.

The BendyBear sample was determined to be x64 shellcode for a stage-zero implant to download a more robust implant from a C2 server. Shellcode is used to describe the small piece of code loaded onto the target immediately following exploitation, regardless of whether it actually spawns a command shell.

With more than 10,000 bytes, the Unit 42 team noted that BendyBear is larger than most and uses its size to implement advanced features and anti-analysis techniques, such as modified RC4 encryption, signature block verification and polymorphic code.

The team said it is releasing indicators of compromise and other data to help organisations determine if they’ve been compromised by BendyBear and block future attacks.

Unit 42 said that while it released the research in the hope of making BendyBear a less potent tool for cyberespionage, it warned that organisations must remain vigilant against attackers.

Jenny Darmody is the editor of Silicon Republic