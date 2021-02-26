Since I have five children, I have had the privilege of watching “Care Bear” videos and reading Care Bear books to my children when they were knee high to a grasshopper. We have thankfully graduated out of that particular genre. For those who had not had the chance to see it, Care Bears are brightly colored teddy bears that live and play in the clouds. Each had a picture of some sort on their belly indicating what characteristic they demonstrated.
Cheer Bear was cheerful. Champ Bear was a winner. Funshine Bear always had fun and TenderHeart Bear was loving. You get the point. Today there is a new bear in town called BendyBear. BendyBear is as you could guess extremely flexible, but he’s no Care Bear.
BendyBear is a new type of malware sent from a Chinese espionage group called Black Tech. BendyBear is extremely sophisticated malware that detects if a tool is trying to debug it. Anti-virus cannot detect it because it can change its code on the fly and subsequently, its digital fingerprint.
Researchers at Palo Alto Networks found that BendyBear loads its additional software directly into memory and does not hit the hard drive. This makes it exceptionally difficult to detect. If it was a Care Bear, they might give him the nickname of Camouflage Bear or Chameleon Bear. It hides extremely well. So well that even if you are looking for it, you likely won’t find it.
To better understand this type of malware and how troublesome it is think of this scenario. It’s a beautiful August afternoon just after a nice monsoon shower. You open the patio door to grill dinner and a fly comes into the house. This is a pesky fly, so you pick up a fly swatter. In order to get rid of this pest, it needs to land on a flat surface to swat it. It is a fast and you can’t see it, but you can hear it. It constantly evades you because it never lands. It just buzzes around your head all night.
In this case, the fly is BendyBear. A flat surface that could help you shut it down would be your hard drive. The air where it is currently flying is your computer’s memory. And the fly swatter is the anti-virus.
BendyBear connects to the internet using your browser port and pulls down its extra malware from the hacker’s command and control servers. These servers are set up by the cybercrime group to be used with malware and bots. The command and control servers can decide what type of attack to perform for each device that has been infected.
Big companies that have a team of cyber experts can combat this threat with high dollar software and services that track the malware behavior or evidence called indicators of compromise. For the rest of us, the best defense would be whitelisting and ringfencing applications. This would stop the additional software from being downloaded from the command and control server in the first place. If somehow the malware was on the system and tried to execute, it would be stopped in its tracks. Talk to your local cybersecurity expert about what you can do to protect against BendyBear.
So, when you are doing your nighttime reading with your toddlers, stick with Funshine Bear and Tenderheart Bear stories. BendyBear stories would produce a nightmare.