Analysis & Insights


Ensign's plans and procedures in response to BendyBear

The Situation

On 9 February 2021, Palo Alto‘s threat intelligence team Unit 42 disclosed the discovery of BendyBear – a highly sophisticated cyber espionage tool. BendyBear is alleged to have similarity in code behaviour and features as that of the WaterBear malware family, which was used by cyber espionage group BlackTech. BendyBear is an updated version designed to work with modern 64-bit systems. It uses anti-forensic techniques and the malicious payload is loaded in memory, thus making it challenging to detect. Its main function is to download more malicious payloads from attacker’s controlled command and control (C2) server. 

Our Commitment

We expect more updates on BendyBear, and will continue to keep a close watch and provide relevant insights and recommendations to the community. Throughout this festive period, Ensign continues to be available to clients who require assistance on any cyber-related matters.

Our Actions

Ensuring our customers are secured - Security of our clients is key

  • Our SOCs have updated our detection capabilities based on the latest IOCs published, and we have compressed our in-house SOC processes to review and update such detection rules to keep pace with the rollout of such information.
  • We continue to maintain timely patch updates for our critical systems to ensure that we eradicate known vulnerabilities in our environment. 
  • Our SOCs have been tasked to support clients who may be affected in threat identification, if required. 

 Enhanced Monitoring

  • We are stepping up our SOC operations to keep tabs of the evolving situation, and handle any response actions required. 
  • Deep analysis is ongoing to uncover attack trends, patterns and TTPs (tactics-techniques-procedures) - these insights will be shared when ready. 

 Our Recommendations

  • Review and update existing security rulesets with relevant indicators of compromise to identify suspicious activities.
  • Review network logs to identify TCP port 443 traffic that does not conform to proper SSL or any other known applications.
  • Where feasible, block unknown outbound TCP traffic in security policies.
  • Keep up with software updates, and mitigate identified critical vulnerabilities.
  • Enhance perimeter and endpoint defence with whitelisting, behaviour analysis and sandboxing techniques using advanced endpoint & network security solutions.
  • Please refer to the following links for more in-depth information on BendyBear:

We are expecting additional IOCs and TTPs to be uncovered. We will continue to provide updates on the incident, and inform you about additional information.

If you suspect that you could have been affected by the malware, you can contact us for digital forensic and incident response services. You can take preemptive measures to protect your assets against new and unknown threats through our threat hunting and threat intelligence programme.  Contact us at for more information.