noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Sonoma Raceway - Speedway Sonoma LLC

Kalitta, Tasca, Hartford & Van Sant take provisional No. 1 spots at[...]
Children's National Medical Center[...]

Helping your child through a friendship breakup - Children's National
Georgia Department of Transportation

🚧Clayton County🚧 Friday, Sunday Night Lane Closures on I 285 EB and[...]

Information Technology

Trend Micro Inc.

05/16/2024 | News release | Distributed by Public on 05/16/2024 00:29

Tracking the Progression of Earth Hundun's Cyberespionage Campaign in 2024

The installation pathway of Deuterbear is depicted in Figure 3. Note that it is similar to Waterbear, which implements two stages to install the backdoor.

In the first stage, the loader employs a basic XOR calculation to decrypt the downloader, facilitating the retrieval of the first stage RAT from the C&C server. Subsequently, the threat actor applies the first stage RAT to survey the victim's system and identify an appropriate folder for persistence. This is where the second-stage Deuterbear components will be installed, including the loader with CryptUnprotectData decryption, the encrypted downloader, and associated registries (the decryption flow was discussed in the previous blog entry).

In most of the infected systems, only the second stage Deuterbear is available. Our monitoring indicates that all components of the first stage Deuterbear are totally removed after the "persistence installation" is completed. It seems that Earth Hundun prefers to keep the loaders using CryptUnprotectData decryption, even in cases where the successful installation of Deuterbear is achieved during the first stage. This strategy effectively protects their tracks and prevents the malware from easily being analyzed by threat researchers, particularly in simulated environments rather than real victim systems.

The Deuterbear RAT directly inherits several components from the downloader, including:

All anti-analysis techniques (please refer to our previous report for more details).
HTTPS tunnel.
Routine to receive and send traffic.
RC4 key to decrypt and encrypt traffic.
Routine to decrypt and encrypt the desired function.
Key to decrypt and encrypt the desired function.

Due to having the same HTTPS channel and RC4 traffic key, Deuterbear RAT doesn't require a handshake with the C&C server to update communication protocols. This enables the threat actor to seamlessly control the client, regardless of whether the process is in the downloader or RAT status. Prior to executing backdoor commands, the Deuterbear RAT transmits victim information to the C&C server via RAT command 975 with the structure (Table 3) highly reminiscent of the Waterbear RAT (Table 2).

Sharing and Personal Tools

Please select the service you want to use: