admin 2024年4月20日17:28:14评论18 views字数 3957阅读13分11秒阅读模式


Technology, research, and government sectors in the Asia-Pacific region have been targeted by a threat actor called BlackTech as part of a recent cyber attack wave.


The intrusions pave the way for an updated version of modular backdoor dubbed Waterbear as well as its enhanced successor referred to as Deuterbear.


"Waterbear is known for its complexity, as it uses a number of evasion mechanisms to minimize the chance of detection and analysis," Trend Micro researchers Cyris Tseng and Pierre Lee said in an analysis last week.

趋势科技的研究人员Cyris Tseng和Pierre Lee在上周的一篇分析中表示:“Waterbear以其复杂性而闻名,它使用了许多躲避机制来降低被检测和分析的机会。”

"In 2022, Earth Hundun began using the latest version of Waterbear — also known as Deuterbear — which has several changes, including anti-memory scanning and decryption routines, that make us consider it a different malware entity from the original Waterbear."

“2022年,Earth Hundun开始使用最新版本的Waterbear,也被称为Deuterbear,它有几个改变,包括反内存扫描和解密例程,这使我们认为它是与原始Waterbear不同的恶意软件实体。”

The cybersecurity firm is tracking the threat actor under the moniker Earth Hundun, which is known to be active since at least 2007. It also goes by other names such as Circuit Panda, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard.

该网络安全公司正追踪威胁行动者,其代号为Earth Hundun,自2007年以来一直处于活跃状态。它还有其他名称,如Circuit Panda、HUAPI、Manga Taurus、Palmerworm、Red Djinn和Temp.Overboard。

In a joint advisory published last September, cybersecurity and intelligence agencies from Japan and the U.S., describing its ability to modify router firmware and exploit routers' domain-trust relationships to pivot from international subsidiaries to their corporate headquarters based in the two countries.


"BlackTech actors use custom malware, dual-use tools, and living-off-the-land tactics, such as disabling logging on routers, to conceal their operations," the governments said.



"Upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network."


One of the crucial tools in its multifaceted arsenal is Waterbear (aka DBGPRINT), which has been put to use since 2009 and has been consistently updated over the years with improved defense evasion features.


The core remote access trojan is fetched from a command-and-control (C2) server by means of a downloader, which is launched using a loader that, in turn, is executed via a known technique called DLL side-loading.


The newest version of the implant supports nearly 50 commands, enabling it to perform a wide range of activities, including process enumeration and termination, file operations, window management, start and exit remote shell, screenshot capture, and Windows Registry modification, among others.


Also delivered using a similar infection flow since 2022 is Deuterbear, whose downloader implements an array of obfuscation methods to resist anti-analysis and uses HTTPS for C2 communications.


"Since 2009, Earth Hundun has continuously evolved and refined the Waterbear backdoor, as well as its many variants and branches," the researchers said.

研究人员表示:“自2009年以来,Earth Hundun不断发展和完善Waterbear后门,以及其许多变种和分支。”

"The Deuterbear downloader employs HTTPS encryption for network traffic protection and implements various updates in malware execution, such as altering the function decryption, checking for debuggers or sandboxes, and modifying traffic protocols."







  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
  • 本文由 发表于 2024年4月20日17:28:14
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):


匿名网友 填写信息