TLDR:
Earth Hundun’s hackers are using advanced malware tools like Waterbear and Deuterbear to conduct cyber attacks, especially in the Asia Pacific region. These tools have sophisticated evasion techniques and encryption methods, making them difficult to detect and analyze.
Hackers always keep evolving their tools to stay ahead of defense systems and exploit new vulnerabilities. Cybersecurity researchers at Trend Micro reported that the Earth Hundun (BlackTech) cyberespionage group has seen a rise in cyberattacks. These attacks exploit the Waterbear virus family, which is renowned for its intricate anti-analysis skills and regularly revised loaders, downloaders, and communication protocols by developers. The most recent version, Deuterbear, uses more elaborate evasion strategies that necessitate a detailed examination of this multifaceted malware weapons stockpile, which is used for spying, especially in the Asia Pacific region. Waterbear And Deuterbear Tools Since 2009, Waterbear has undergone more than ten versions, with developers continuously working on infection processes until the time when a successful compromise was achieved which resulted in multiple coexistence of these versions among victims.
It is important to note that some Waterbear downloaders use internal IP addresses as their C&C servers, which suggests that they know the target networks deeply and use multilayer jump servers to persist stealthily and control compromised environments, according to the report. The fact that these sophisticated techniques are designed for evasion and longevity reflects the advanced nature of these attacks as well as the determined efforts of the threat actors behind this constantly changing malware family.
Deuterbear is the latest Waterbear downloader variant which was active since 2022 and represents a distinct malware entity separate from the original Waterbear downloader category. This classification originates from significant updates to its decryption flow and configuration structure, marking a notable evolution in the malware’s capabilities.
Earth Hundun still penetrates Asia-Pacific targets despite these defenses, with an ever-improving Waterbear that poses considerable difficulties. Indicators of compromise include various file SHA-256 detection names for both Waterbear and Deuterbear variants.
The Earth Hundun group has been incessantly transforming Waterbear into a more advanced version known as Deuterbear since 2009. Using HTTPS encryption, debugger/sandbox checks, changed decryption, and updated protocols make Deuterbear the most recent in sophistication infection methods and anti-analysis mechanisms.