Deuterbear malware

Technology, research, and government sectors in the Asia-Pacific region have been targeted by a threat actor called BlackTech as part of a recent cyber attack wave.

The intrusions pave the way for an updated version of modular backdoor dubbed Waterbear as well as its enhanced successor referred to as Deuterbear.

Cybersecurity firm Trend Micro is tracking the threat actor under the moniker Earth Hundun, which is known to be active since at least 2007. It also goes by other names such as Circuit Panda, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard.

"Waterbear is known for its complexity, as it uses a number of evasion mechanisms to minimize the chance of detection and analysis," Trend Micro researchers Cyris Tseng and Pierre Lee said in an analysis last week.

"In 2022, Earth Hundun began using the latest version of Waterbear — also known as Deuterbear — which has several changes, including anti-memory scanning and decryption routines, that make us consider it a different malware entity from the original Waterbear."


In a joint advisory published last September, cybersecurity and intelligence agencies from Japan and the U.S. attributed the adversary to China, describing its ability to modify router firmware and exploit routers' domain-trust relationships to pivot from international subsidiaries to their corporate headquarters based in the two countries.

"BlackTech actors use custom malware, dual-use tools, and living-off-the-land tactics, such as disabling logging on routers, to conceal their operations," the governments said.

Deuterbear malware

"Upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network."

One of the crucial tools in its multifaceted arsenal is Waterbear (aka DBGPRINT), which has been put to use since 2009 and has been consistently updated over the years with improved defense evasion features.

The core remote access trojan is fetched from a command-and-control (C2) server by means of a downloader, which is launched using a loader that, in turn, is executed via a known technique called DLL side-loading.

The newest version of the implant supports nearly 50 commands, enabling it to perform a wide range of activities, including process enumeration and termination, file operations, window management, start and exit remote shell, screenshot capture, and Windows Registry modification, among others.


Also delivered using a similar infection flow since 2022 is Deuterbear, whose downloader implements an array of obfuscation methods to resist anti-analysis and uses HTTPS for C2 communications.

"Since 2009, Earth Hundun has continuously evolved and refined the Waterbear backdoor, as well as its many variants and branches," the researchers said.

"The Deuterbear downloader employs HTTPS encryption for network traffic protection and implements various updates in malware execution, such as altering the function decryption, checking for debuggers or sandboxes, and modifying traffic protocols."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.