Security Experts:

Connect with us

Hi, what are you looking for?



‘Waterbear’ Employs API Hooking to Hide Malicious Behavior

The long-standing Waterbear campaign has returned with new evasion capabilities, employing API hooking techniques to hide its network behavior from security products, Trend Micro reports.

The long-standing Waterbear campaign has returned with new evasion capabilities, employing API hooking techniques to hide its network behavior from security products, Trend Micro reports.

Waterbear has been associated with the BlackTech cyberespionage group, which ESET observed earlier this year abusing an ASUS update process to deliver malware. Waterbear is mainly characterized by the use of modular malware and the ability to add functionality remotely.

A new Waterbear campaign, Trend Micro’s security researchers explain, has revealed the use of API hooking to hide network behavior from a specific security vendor that is based in the APAC region, in line with BlackTech’s targeted countries.

The use of this technique shows that the attackers are familiar with how certain security products harvest information and also suggests that the technique might be used to target other products as well in the future.

Waterbear uses a DLL loader to decrypt and execute an RC4-encrypted payload that normally is a first-stage backdoor that can fetch and run other payloads. These backdoors either connect to a command and control (C&C) server or listen to a specific port.

In some attacks, the hardcoded file paths of the encrypted payloads suggest that the attackers have knowledge of their targets’ environments and Trend Micro believes that Waterbear might be used to maintain presence after gaining access to the targets’ systems.

Two different DLL loader triggers were observed in Waterbear infections, one altering a legitimate server application to import and load the loader, and another employing phantom DLL hijacking and DLL side loading.

After execution, the Waterbear DLL loader searches for a hardcoded path and attempts to decrypt the corresponding payload, a piece of encrypted shellcode that is then injected into a legitimate Windows service — LanmanServer, which is run by svchost.exe.

The payload encrypts its function blocks before executing the malicious routine to avoid in-memory scanning. It then decrypts functions as it needs them, and then encrypts them back. Functions that are not used in the rest of the execution are scrambled by another mess-up function.

In a recent attack, two payloads were loaded, including one to inject code into a specific security product and hide the backdoor, a technique new to Waterbear. The other payload was the typical first-stage backdoor associated with the threat.

Both encrypted and stored on the disk, the payloads were injected into the same service. The loader would terminate the infection if it didn’t find the first payload or if the executable from the security product was not found. If loaded, the second backdoor is executed even if the API hooking was not performed.

To hide the behavior of the first-stage backdoor, two different APIs are hooked. The payload modifies the functions in the memory of the security product process and does not disable the functions, which results in the targeted security product working normally, thus making detection more difficult.

“This is the first time we’ve seen Waterbear attempting to hide its backdoor activities. By the hardcoded product name, we infer that the attackers are knowledgeable of the victims’ environment and which security product(s) they use. The attackers might also be familiar with how security products gather information on their clients’ endpoints and networks, so that they know which APIs to hook,” Trend Micro concludes.

Related: Hackers Exploit ASUS Update Process to Install Backdoor

Related: Hackers Using Stolen D-Link Certificates for Malware Signing

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.