Originating as an evolution of Waterbear, the new Trojan has more specific goals…
Cybersecurity researchers have revealed new details about a remote access Trojan called Deuterbear RAT, which is being used by China-linked hacker group BlackTech as part of a cyber-espionage campaign targeting the Asia-Pacific region.
The BlackTech group, active since at least 2007, is known by many names, including Circuit Panda, Earth Hundun, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard.
For many years, BlackTech has used the Waterbear malware in its malicious campaigns, but since October 2022, the group has also actively used its updated version called Deuterbear.
"Although similar to Waterbear in many ways, Deuterbear has some improvements, such as avoiding handshake signals for RAT operation and using HTTPS to communicate with the C2 infrastructure," explained Pierre Li and Cyris Tseng, researchers at Trend Micro, in their new analysis.
"Unlike Waterbear, the new malware uses a shellcode format, has a memory scanning function, and shares the traffic key with its loader," the experts added.
Both malware programs are distributed through a special loader using the Sideloading DLL method, using malicious libraries paired with legitimate executable files to load and decrypt the malicious module directly, but the old malware installation process consisted of a larger number of stages.
The researchers say that Deuterbear RAT, in general, is a more simplified version of its predecessor, retaining only hard-coded commands in comparison with Waterbear's plug-in approach for implementing additional functionality.
Experts also believe that malware carriers serve several different purposes, so they will continue to develop independently of each other. All this adds a certain complexity for security teams, who are forced to monitor a large number of threats and exercise increased vigilance.
Cybersecurity researchers have revealed new details about a remote access Trojan called Deuterbear RAT, which is being used by China-linked hacker group BlackTech as part of a cyber-espionage campaign targeting the Asia-Pacific region.
The BlackTech group, active since at least 2007, is known by many names, including Circuit Panda, Earth Hundun, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard.
For many years, BlackTech has used the Waterbear malware in its malicious campaigns, but since October 2022, the group has also actively used its updated version called Deuterbear.
"Although similar to Waterbear in many ways, Deuterbear has some improvements, such as avoiding handshake signals for RAT operation and using HTTPS to communicate with the C2 infrastructure," explained Pierre Li and Cyris Tseng, researchers at Trend Micro, in their new analysis.
"Unlike Waterbear, the new malware uses a shellcode format, has a memory scanning function, and shares the traffic key with its loader," the experts added.
Both malware programs are distributed through a special loader using the Sideloading DLL method, using malicious libraries paired with legitimate executable files to load and decrypt the malicious module directly, but the old malware installation process consisted of a larger number of stages.
The researchers say that Deuterbear RAT, in general, is a more simplified version of its predecessor, retaining only hard-coded commands in comparison with Waterbear's plug-in approach for implementing additional functionality.
Experts also believe that malware carriers serve several different purposes, so they will continue to develop independently of each other. All this adds a certain complexity for security teams, who are forced to monitor a large number of threats and exercise increased vigilance.
