Deuterbear RAT
Cybersecurity researchers have provided new insights into Deuterbear, a Remote Access Trojan (RAT) employed by the China-linked BlackTech hacking group in a recent cyber espionage campaign targeting the Asia-Pacific region.
The Deuterbear RAT resembles a previously harmful tool used by the group, known as Waterbear. However, it features significant enhancements, including support for shellcode plugins, operation without handshakes, and the use of HTTPS for command-and-control (C&C) communication. Unlike Waterbear, Deuterbear employs a shellcode format, incorporates anti-memory scanning techniques, and shares a traffic key with its downloader.
Table of Contents
BlackTech Has Been Updating Its Arsenal of Threatening Tools
Active since at least 2007, BlackTech has been known in the cybersecurity community by various names, including Circuit Panda, Earth Hundun, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard.
For nearly 15 years, the group has frequently used the Waterbear malware (also known as DBGPRINT) in their cyber attacks. However, since October 2022, their campaigns have featured an updated version of this malware called Deuterbear.
The Infection Chain Utilized by BackTech for the Delivery of the Waterbear Malware
Waterbear is delivered to the targeted devices via a patched legitimate executable, which uses DLL side-loading to launch a loader. This loader then decrypts and executes a downloader, which contacts a Command-and-Control (C&C) server to retrieve the RAT module.
Interestingly, the RAT module is fetched twice from the attacker-controlled infrastructure. The first fetch loads a Waterbear plugin, which further compromises the system by launching a different version of the Waterbear downloader to retrieve the RAT module from another C&C server.
In other words, the initial Waterbear RAT acts as a plugin downloader, while the second Waterbear RAT functions as a backdoor, collecting sensitive information from the compromised host using a set of 60 commands.
The Deuterbear RAT Relies on Modified Infection Tactics to Compromise Victims’ Devices
The infection pathway for Deuterbear is very similar to that of Waterbear in that it also implements two stages to install the RAT backdoor component. Still, it also tweaks it to some extent.
The first stage, in this case, employs the loader to launch a downloader, which connects to the C&C server to fetch Deuterbear RAT, an intermediary that serves to establish persistence through a second-stage loader via DLL side-loading. This loader is ultimately responsible for executing a downloader, which again downloads the Deuterbear RAT from a C&C server for information theft.
In most of the infected systems, only the second stage Deuterbear is available. All components of the first stage Deuterbear are totally removed after the 'persistence installation' is completed.
The Deuterbear RAT may be Evolving Separately from Its Predecessor
This strategy effectively obscures the attackers' tracks and makes it difficult for threat researchers to analyze the Deuterbear malware, especially in simulated environments, instead of actual victim systems.
The Deuterbear RAT is a more streamlined version of its predecessor, retaining only a subset of commands and adopting a plugin-based approach to expand its functionality. Waterbear has undergone continuous evolution, ultimately leading to the development of Deuterbear. Interestingly, both Waterbear and Deuterbear continue to evolve independently, rather than one merely replacing the other.
