Waterbear

Waterbear is modular malware attributed to BlackTech that has been used primarily for lateral movement, decrypting, and triggering payloads and is capable of hiding network behaviors.[1]

ID: S0579
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 22 February 2021
Last Modified: 10 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

Waterbear has the ability to decrypt its RC4 encrypted payload for execution.[1]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Waterbear has used DLL side loading to import and load a malicious DLL loader.[1]

Enterprise T1562 .006 Impair Defenses: Indicator Blocking

Waterbear can hook the ZwOpenProcess and GetExtendedTcpTable APIs called by the process of a security product to hide PIDs and TCP records from detection.[1]

Enterprise T1105 Ingress Tool Transfer

Waterbear can receive and load executables from remote C2 servers.[1]

Enterprise T1112 Modify Registry

Waterbear has deleted certain values from the Registry to load a malicious DLL.[1]

Enterprise T1106 Native API

Waterbear can leverage API functions for execution.[1]

Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

Waterbear can scramble functions not to be executed again with random values.[1]

.013 Obfuscated Files or Information: Encrypted/Encoded File

Waterbear has used RC4 encrypted shellcode and encrypted functions.[1]

Enterprise T1057 Process Discovery

Waterbear can identify the process for a specific security product.[1]

Enterprise T1055 Process Injection

Waterbear can inject decrypted shellcode into the LanmanServer service.[1]

.003 Thread Execution Hijacking

Waterbear can use thread injection to inject shellcode into the process of security software.[1]

Enterprise T1012 Query Registry

Waterbear can query the Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\MTxOCI" to see if the value OracleOcilib exists.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Waterbear can find the presence of a specific security software.[1]

Enterprise T1049 System Network Connections Discovery

Waterbear can use API hooks on GetExtendedTcpTable to retrieve a table containing a list of TCP endpoints available to the application.[1]

Groups That Use This Software

ID Name References
G0098 BlackTech

[1]

References