Trend Micro Inc.

05/16/2024 | News release | Distributed by Public on 05/16/2024 00:29

Tracking the Progression of Earth Hundun's Cyberespionage Campaign in 2024

The installation pathway of Deuterbear is depicted in Figure 3. Note that it is similar to Waterbear, which implements two stages to install the backdoor.

In the first stage, the loader employs a basic XOR calculation to decrypt the downloader, facilitating the retrieval of the first stage RAT from the C&C server. Subsequently, the threat actor applies the first stage RAT to survey the victim's system and identify an appropriate folder for persistence. This is where the second-stage Deuterbear components will be installed, including the loader with CryptUnprotectData decryption, the encrypted downloader, and associated registries (the decryption flow was discussed in the previous blog entry).

In most of the infected systems, only the second stage Deuterbear is available. Our monitoring indicates that all components of the first stage Deuterbear are totally removed after the "persistence installation" is completed. It seems that Earth Hundun prefers to keep the loaders using CryptUnprotectData decryption, even in cases where the successful installation of Deuterbear is achieved during the first stage. This strategy effectively protects their tracks and prevents the malware from easily being analyzed by threat researchers, particularly in simulated environments rather than real victim systems.

The Deuterbear RAT directly inherits several components from the downloader, including:

  • All anti-analysis techniques (please refer to our previous report for more details).
  • HTTPS tunnel.
  • Routine to receive and send traffic.
  • RC4 key to decrypt and encrypt traffic.
  • Routine to decrypt and encrypt the desired function.
  • Key to decrypt and encrypt the desired function.

Due to having the same HTTPS channel and RC4 traffic key, Deuterbear RAT doesn't require a handshake with the C&C server to update communication protocols. This enables the threat actor to seamlessly control the client, regardless of whether the process is in the downloader or RAT status. Prior to executing backdoor commands, the Deuterbear RAT transmits victim information to the C&C server via RAT command 975 with the structure (Table 3) highly reminiscent of the Waterbear RAT (Table 2).