Waterbear Modular Malware Campaign Lashes out at Taiwanese Government | Cyware Alerts


A number of Taiwanese government entities have been recently targeted by a fresh Waterbear campaign in sophisticated cyberattacks. Associated with the BlackTech threat group, the malware has been observed utilizing leftovers from previous attacks on the same targets in April 2020 that had not been fully eradicated.

Key features 

According to a report released by CyCraft researchers, the latest Waterbear malware has been featuring different capabilities allowing the Waterbear loader to deploy additional malicious packages. 
  • The campaign has leveraged a vulnerability in a common and trusted Data Loss Prevention (DLP) tool to load Waterbear malware, perform DLL hijacking, and stealthily trigger next stage malware.
  • With a decade-old antivirus evasion technique known as Heaven’s Gate, the attackers have been successfully tricking Windows to hide and bypass Waterbear’s network behaviors from security engines.
  • In addition, the attackers used enlarged binary size to bypass scanning protocols altogether, forced DLLs to unload to obfuscate malware, and padded memory with Kernel32 content to confuse analyses.
  • The threat actor leveraged Windows IKEEXT Service, and system services such as Winmgmt, System Event Notification Service (SENS), Wuauserv, and LanmanServer in their attacks.

BlackTech’s recent targets

BlackTech, also known as the Palmerworm group, is known to target technology companies and government entities across Taiwan, Japan, and Hong Kong.

  • In September, the group had used a brand new suite of custom malware to target organizations in the media, construction, engineering, electronics, and finance sectors in Japan, Taiwan, the U.S., and China.
  • In August, BlackTech had targeted at least ten government agencies, and around 6,000 email accounts of government officials were infiltrated to steal sensitive data from the Taiwanese government and tech companies.

Preventative solutions

With better stealth capabilities, the chances of the success of malware campaigns have been increasing. Experts advise adding listed IOCs to create blacklists for detection and response solutions. Organizations and users are recommended to use firewalls, antivirus, and DLP solutions, as well as AI-driven detection and response solutions to increase SOC efficiency, automate investigations, and reduce alert fatigue.



Source link

Recent articles

Arctic Wolf Valued at $1.3 Billion After $200 Million Funding Round

Security operations company Arctic Wolf on Thursday announced the closing of a $200 million Series E funding round that values it at $1.3...

Top Investigator in Google Case Says There ‘Was Not a Rush’ to Sue

Jeffrey A. Rosen, the deputy attorney general, wouldn’t normally oversee an antitrust investigation into Google. It would usually fall to the head of...

Xi says China not afraid of war in speech to mark Korean War | China

Chinese president strikes assertive, nationalist tone in address apparently aimed at United States.President Xi Jinping warned on Friday that China was not afraid...

Prepare for Ghost of Tsushima Legends Raid Before It Arrives Next Week

Players who’ve been enjoying the free Legends update for Ghost of Tsushima should probably start preparing themselves for the Raid, which Sucker Punch plans...

Florida Deputies to Add Security After Armed Men Appear at Polling Site

Law enforcement officials in St. Petersburg, Fla., said Thursday that they would station deputies at five early voting sites as a precaution, the...

Leave a reply

Please enter your comment!
Please enter your name here