Cyberespionage Group Earth Hundun’s Continuous Refinement of Waterbear and Deuterbear

  • Earth Hundun is a cyberespionage-motivated threat actor that has been active for several years in the Asia-Pacific region, targeting the technology and government sectors.
  • The group has been known for employing several tools and techniques, including Waterbear, a malware entity that has had over 10 versions since 2009.
  • Waterbear is known for its complexity, as it uses a number of evasion mechanisms to minimize the chance of detection and analysis. Succeeding versions have added enhancements that make it even more troublesome to deal with.
  • In 2022, Earth Hundun began using the latest version of Waterbear — also known as Deuterbear — which has several changes, including anti-memory scanning and decryption routines, that make us consider it a different malware entity from the original Waterbear.
  • Our blog entry provides an in-depth analysis of these two malware types in Earth Hundun’s bag of tools.

We recently observed a surge in cyberattacks targeting a number of organizations in various sectors such as technology, research, and government.  These attacks involve a malware family known as  Waterbear that is linked to the cyberespionage group Earth Hundun (also known as BlackTech), a threat actor that focuses on gathering intelligence from technology and government organizations, particularly in the Asia-Pacific region.

Among the group’s arsenal of weapons, the Waterbear backdoor is one of the most complex, with a wide array of anti-debug, anti-sandbox, and general antivirus-hindering techniques. Moreover, the frequent updates from its developers have led to even more evasion tactics, including enhancements of its loader, downloader, and communication protocol. This report will delve into the latest techniques Earth Hundun has implemented with Waterbear and provide an analysis of its latest iteration, Deuterbear.  

Waterbear has had over 10 versions since 2009, with the version number directly visible in the configuration. Despite available solutions for older versions, its operators typically persist in enhancing infection flows until a successful compromise. Therefore, it is common to find multiple versions coexisting within the same timeframe and even within the environments of the same victims.

Interestingly, some Waterbear downloaders have been seen using command-and-control (C&C) servers with internal IP addresses (for instance, the downloader with hash 6b9a14d4d9230e038ffd9e1f5fd0d3065ff0a78b52ab338644462864740c2241 uses the internal IP 192.168.11[.]2 as its C&C server).

This suggests that the attackers might have in-depth knowledge of their victims’ networks, employing multilayered jump servers to evade detection. Such tactics underscore the sophisticated nature of these attacks, which are designed to stealthily maintain presence and control within compromised environments.

Attack chain and TTPs of Waterbear

Read More HERE