SYMBOLCOMMON_NAMEaka. SYNONYMS
win.waterbear (Back to overview)

Waterbear

aka: DbgPrint, EYEWELL

Actor(s): BlackTech


Waterbear, also known as DbgPrint in its earlier export function, has been active since 2009. The malware is presumably developed by the BlackTech APT group and adopts advanced anti-analysis and forward-thinking design. These designs include a sophisticated shellcode stager, the ability to load plugins on-the-fly, and overall evasiveness should the C2 server fail to respond with a valid session key.

References
2023-07-18MandiantMandiant Intelligence
@online{intelligence:20230718:stealth:789e8b1, author = {Mandiant Intelligence}, title = {{Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection}}, date = {2023-07-18}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/chinese-espionage-tactics}, language = {English}, urldate = {2023-07-19} } Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection
BPFDoor SALTWATER SEASPY SideWalk ZuoRAT Daxin HyperBro HyperSSL Waterbear
2021-09-01YouTube (Black Hat)Aragorn Tseng, Charles Li
@online{tseng:20210901:mem2img:7817a5d, author = {Aragorn Tseng and Charles Li}, title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}}, date = {2021-09-01}, organization = {YouTube (Black Hat)}, url = {https://www.youtube.com/watch?v=6SDdUVejR2w}, language = {English}, urldate = {2021-09-12} } Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear
2021-05-07TEAMT5Aragorn Tseng, Charles Li
@techreport{tseng:20210507:mem2img:494799d, author = {Aragorn Tseng and Charles Li}, title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}}, date = {2021-05-07}, institution = {TEAMT5}, url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf}, language = {English}, urldate = {2021-09-12} } Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear
2020-10-08ZDNetCharlie Osborne
@online{osborne:20201008:waterbear:9d810b3, author = {Charlie Osborne}, title = {{Waterbear malware used in attack wave against government agencies}}, date = {2020-10-08}, organization = {ZDNet}, url = {https://www.zdnet.com/article/waterbear-malware-used-in-attack-wave-against-government-agencies/}, language = {English}, urldate = {2021-04-20} } Waterbear malware used in attack wave against government agencies
Waterbear
2020-08-19TEAMT5TeamT5
@online{teamt5:20200819:0819:e955419, author = {TeamT5}, title = {{調查局 08/19 公布中國對台灣政府機關駭侵事件說明}}, date = {2020-08-19}, organization = {TEAMT5}, url = {https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/}, language = {Chinese}, urldate = {2021-05-03} } 調查局 08/19 公布中國對台灣政府機關駭侵事件說明
Cobalt Strike Waterbear
2020-01-14TEAMT5CiYi Yu, Aragorn Tseng
@techreport{yu:20200114:evil:20b2d83, author = {CiYi Yu and Aragorn Tseng}, title = {{Evil Hidden in Shellcode: The Evolution of Malware DBGPRINT}}, date = {2020-01-14}, institution = {TEAMT5}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf}, language = {English}, urldate = {2021-04-21} } Evil Hidden in Shellcode: The Evolution of Malware DBGPRINT
Waterbear
2020-01-03DayDayNewsDayDayNews
@online{daydaynews:20200103:waterbear:b4818c4, author = {DayDayNews}, title = {{Waterbear, a cyber espionage virus, has a new variant with its own anti-virus function}}, date = {2020-01-03}, organization = {DayDayNews}, url = {https://daydaynews.cc/zh-tw/technology/297265.html}, language = {Chinese}, urldate = {2021-04-20} } Waterbear, a cyber espionage virus, has a new variant with its own anti-virus function
Waterbear
2019-12-11Trend MicroVickie Su, Anita Hsieh, Dove Chiu
@online{su:20191211:waterbear:3538eb5, author = {Vickie Su and Anita Hsieh and Dove Chiu}, title = {{Waterbear Returns, Uses API Hooking to Evade Security}}, date = {2019-12-11}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html}, language = {English}, urldate = {2021-04-20} } Waterbear Returns, Uses API Hooking to Evade Security
Waterbear

There is no Yara-Signature yet.