黑科技新武器'Deuterbear'瞄准科技、研究和政府部门

Technology, research, and government sectors in the Asia-Pacific region have been targeted by a threat actor called BlackTech as part of a recent cyber attack wave.

亚太地区的科技、研究和政府部门最近遭到了一个名为BlackTech的威胁行动者的网络攻击波。

The intrusions pave the way for an updated version of modular backdoor dubbed Waterbear as well as its enhanced successor referred to as Deuterbear.

这些侵入为模块化后门Waterbear的更新版本以及其加强版Deuterbear铺平了道路。

"Waterbear is known for its complexity, as it uses a number of evasion mechanisms to minimize the chance of detection and analysis," Trend Micro researchers Cyris Tseng and Pierre Lee said in an analysis last week.

趋势科技的研究人员Cyris Tseng和Pierre Lee在上周的一篇分析中表示：“Waterbear以其复杂性而闻名，它使用了许多躲避机制来降低被检测和分析的机会。”

"In 2022, Earth Hundun began using the latest version of Waterbear — also known as Deuterbear — which has several changes, including anti-memory scanning and decryption routines, that make us consider it a different malware entity from the original Waterbear."

“2022年，Earth Hundun开始使用最新版本的Waterbear，也被称为Deuterbear，它有几个改变，包括反内存扫描和解密例程，这使我们认为它是与原始Waterbear不同的恶意软件实体。”

The cybersecurity firm is tracking the threat actor under the moniker Earth Hundun, which is known to be active since at least 2007. It also goes by other names such as Circuit Panda, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard.

该网络安全公司正追踪威胁行动者，其代号为Earth Hundun，自2007年以来一直处于活跃状态。它还有其他名称，如Circuit Panda、HUAPI、Manga Taurus、Palmerworm、Red Djinn和Temp.Overboard。

In a joint advisory published last September, cybersecurity and intelligence agencies from Japan and the U.S., describing its ability to modify router firmware and exploit routers' domain-trust relationships to pivot from international subsidiaries to their corporate headquarters based in the two countries.

去年9月，日本和美国的网络安全和情报机构联合发布的一份公告，描述了其修改路由器固件的能力，并利用路由器的域信任关系从国际子公司转移到这两个国家的总部。

"BlackTech actors use custom malware, dual-use tools, and living-off-the-land tactics, such as disabling logging on routers, to conceal their operations," the governments said.

“BlackTech行动者使用定制恶意软件、双用工具和类似生活方式的策略，如禁用路由器上的日志记录，以掩盖其操作。”政府表示。

"Upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network."

“一旦在目标网络中获得初始立足点并获得网络边缘设备的管理员访问权限，BlackTech网络运营者经常修改固件以隐藏他们在边缘设备上的活动，进一步保持网络中的持久性。”

One of the crucial tools in its multifaceted arsenal is Waterbear (aka DBGPRINT), which has been put to use since 2009 and has been consistently updated over the years with improved defense evasion features.

其多面手段武器中的一个关键工具是Waterbear（又名DBGPRINT），自2009年以来一直在使用，并且多年来一直在不断更新，增加了改进的防御规避功能。

The core remote access trojan is fetched from a command-and-control (C2) server by means of a downloader, which is launched using a loader that, in turn, is executed via a known technique called DLL side-loading.

核心远程访问特洛伊木马是通过一个下载器从命令和控制（C2）服务器中获取的，该下载器使用一个被称为DLL侧载的已知技术启动，该技术又通过一个加载器执行。

The newest version of the implant supports nearly 50 commands, enabling it to perform a wide range of activities, including process enumeration and termination, file operations, window management, start and exit remote shell, screenshot capture, and Windows Registry modification, among others.

最新版本的植入物支持近50个命令，使其能够执行各种活动，包括进程枚举和终止、文件操作、窗口管理、启动和退出远程shell、截屏捕获和Windows注册表修改等。

Also delivered using a similar infection flow since 2022 is Deuterbear, whose downloader implements an array of obfuscation methods to resist anti-analysis and uses HTTPS for C2 communications.

自2022年以来，也是使用类似感染流程交付的是Deuterbear，其下载器实施了一系列混淆方法以抵抗反分析，并使用HTTPS进行C2通信。

"Since 2009, Earth Hundun has continuously evolved and refined the Waterbear backdoor, as well as its many variants and branches," the researchers said.

研究人员表示：“自2009年以来，Earth Hundun不断发展和完善Waterbear后门，以及其许多变种和分支。”

"The Deuterbear downloader employs HTTPS encryption for network traffic protection and implements various updates in malware execution, such as altering the function decryption, checking for debuggers or sandboxes, and modifying traffic protocols."

“Deuterbear下载程序采用HTTPS加密以保护网络流量，并且在恶意软件执行中实施了各种更新，比如更改功能解密、检查调试器或沙盒，以及修改流量协议。”

参考资料

[1]https://thehackernews.com/2024/04/blacktech-targets-tech-research-and-gov.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：黑科技新武器'Deuterbear'瞄准科技、研究和政府部门