In August 2020, Taiwan’s Ministry of Justice Investigation Bureau published a report concerning an APT attack, involving a malicious C2 shellcode with more advanced features. This APT attack used BendyBear as a stager intended to download a more robust implant from a command and control (C2) server. It is considered the most sophisticated, well-engineered, and difficult to detect shellcode employed by an Advanced Persistent Threat (APT). It utilizes its large size (10 000 bytes and more) to implement advanced features that are not present in other shellcodes. The larger size BendyBear also facilitates anti-analysis techniques, including modifying RC4 encryption, verifying signature blocks, displaying polymorphic behavior. This APT attack was tied to the APT BlackTech.
How BendyBear Works
STEP I – COMPROMISES DNS CACHE
In order to communicate with the C2 server undetected. BendyBear clears the domain identification of all computers, services, and other resources connected to the network from the host’s DNS cache, forcing the host to resolve the current IP associated with the C2 domain. This enables attackers to own the domain and can thus update IP and maintain communication, as the network infrastructure is compromised in the APT attack.
STEP II – GENERATE PACKET REQUEST
After taking over the network, the stager generates a challenge request packet comprising 10 bytes of data and sends it to the C2 server. Upon receiving the challenge request packet, the C2 server decrypts it to obtain the size of data and session keys requested by the stager. The session keys are used to build the RC4 Key Scheduling Algorithm (KSA) and as an XOR key for encryption and decryption.
STEP III – CHALLENGE-RESPONSE HEADER AND AUTHENTICATION
The server then constructs a 10-byte server challenge-response header and computes the final authentication key, which is sent to the stager to complete the authentication process. After completing the authentication process, the C2 server prepares, encrypts, and sends the payload download command to the stager in chunks. The maximum size of a payload chunk accepted by the stager is 4086 bytes.
STEP IV – PAYLOAD DOWNLOAD
On receiving the chunk, the stager removes its command header and decrypts the payload in chunk memory. The stager then performs basic checks to ensure that the payload conforms to a Windows executable. If all the checks are valid, the stager executes direct memory loading.
X-PHY AI Embedded Cyber Secure SSD
BendyBear is an advanced shellcode with features that are not present in other types of shellcodes, making it technically sophisticated and hard to detect, thus perfect for an APT attack. The developers used byte manipulation and cryptographic routines to achieve a high level of technical sophistication. They also signature block verification and anti-analysis techniques to evade detection. As such, the BandyBear can bypass software security and executes database cloning without detection. This is where X-PHY AI Embedded Cyber secure SSD comes in. The X-PHY SSD features will work together and detect the APT attack and halt any attempt to clone the database illegally.
DETECTION OF MALICIOUS ACTIVITY
Guardian Pro-X and Security Scout features within the X-Guard Threat Lock use AI at the firmware level to detect malicious behavior characteristics like illegal data cloning. The module monitors the stager’s instructions to the C2 server and retrieves the content of the first Logical Block Address (LBA 0) targeted by the stager. Using the content retrieved from the LBA 0, the trained neural network in the module identifies all the server’s target LBAs and gets ready to monitor them.
The module mirrors the instructions sent to the target addresses by the host and the content of all the LBAs. The trained neural network uses the mirrored instructions and contents to determine whether the activity is malicious or not. This is achieved by comparing read/write/overwrite access requested by the stager against the average read/write/overwrite access indicated in the master boot records, master file tables, boot sectors, or parameter blocks of file systems associated with the operating systems or the secondary storage operations.
PREVENTION OF MALICIOUS ACTIVITY
When it is determined that there is an attempt to illegally clone the data, the X-Factor Encryption lock feature responds by triggering data lockdown to prevent the stager from accessing it and activates the Keycode2-factor immediately. X-PHY enters safe mode and asks for a password to complete the 2-factor authentication. At this point, multiple unique keys must be provided to gain access to data. Otherwise, data remains locked preventing malicious cloning. This way, X-PHY combats many attacks involving data theft, including an APT attack.
