Cybersecurity researchers have revealed more information about a remote access trojan (RAT) called Deuterbear, utilized by the China-linked BlackTech hacking group as part of a cyber espionage campaign targeting the Asia-Pacific region this year.
“Deuterbear, while similar to Waterbear in many aspects, demonstrates advancements in capabilities such as the inclusion of support for shellcode plugins, avoiding handshakes for RAT operation, and employing HTTPS for C&C communication,” stated Trend Micro researchers Pierre Lee and Cyris Tseng in a recent analysis.
“In contrast to Waterbear, Deuterbear uses a shellcode format, possesses anti-memory scanning, and shares a traffic key with its downloader.”
The BlackTech group, which has been active since at least 2007, is also known by various names in the cybersecurity community, including Circuit Panda, Earth Hundun, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard.
The group has historically used a malware called Waterbear (aka DBGPRINT) in cyber attacks for over 15 years, but recent campaigns since October 2022 have adopted an updated version called Deuterbear.
Waterbear is typically distributed through a modified legitimate executable, leveraging DLL side-loading to execute a loader that decrypts and runs a downloader, which then contacts a command-and-control (C&C) server to fetch the RAT module.
Interestingly, the RAT module is downloaded twice from the attacker’s infrastructure, with the first download used to load a Waterbear plugin that launches a different version of the Waterbear downloader to retrieve the RAT module from another C&C server.
Essentially, the initial Waterbear RAT acts as a plugin downloader, while the second Waterbear RAT serves as a backdoor, collecting sensitive data from the compromised system using a set of 60 commands.
Deuterbear follows a similar infection path as Waterbear, employing two stages to install the RAT backdoor component, with some tweaks.
The first stage uses a loader to run a downloader that connects to the C&C server to fetch the Deuterbear RAT, which establishes persistence through a second-stage loader via DLL side-loading.
This second loader is responsible for executing another downloader, which downloads the Deuterbear RAT from a C&C server for information theft.
“In most infected systems, only the second stage Deuterbear is present,” the researchers noted. “All components of the first stage Deuterbear are completely removed after the ‘persistence installation’ is completed.”
“This approach helps conceal their activities, making it difficult for threat researchers to analyze the malware, especially in simulated environments rather than real victim systems.”
Deuterbear RAT is a more streamlined version of its predecessor, focusing on a subset of commands and adopting a plugin-based strategy to enhance functionality.
“Waterbear has evolved continuously, leading to the creation of a new malware, Deuterbear,” Trend Micro explained. “Interestingly, both Waterbear and Deuterbear continue to evolve separately, rather than one replacing the other.”
Targeted Campaign Introduces SugarGh0st RAT
Proofpoint recently detailed an “extremely targeted” cyber campaign aimed at organizations involved in artificial intelligence efforts in the U.S., deploying a malware known as SugarGh0st RAT.
The activity cluster is being tracked by the security company under the name UNK_SweetSpecter.
“SugarGh0st RAT is a customized variant of Gh0st RAT, an older trojan commonly used by Chinese-speaking threat actors,” Proofpoint explained. “SugarGh0st RAT has been historically used to target users in Central and East Asia.”
Cisco Talos first reported SugarGh0st RAT late last year in connection with an attack on the Uzbekistan Ministry of Foreign Affairs and South Korean users starting from August 2023, believed to be the work of a Chinese-speaking threat actor.
The attack involves sending AI-themed phishing messages with a ZIP archive containing a Windows shortcut file that deploys a JavaScript dropper to execute the SugarGh0st payload.
“The May 2024 campaign targeted fewer than 10 individuals, all connected to a single leading U.S.-based artificial intelligence organization based on open-source research,” Proofpoint stated.
The motive behind the attacks is not clear, but it’s speculated that the objective could be to steal confidential information related to generative artificial intelligence (GenAI).
The targeting of U.S. entities aligns with reports of the U.S. government considering restrictions on China’s access to GenAI tools from companies like OpenAI, Google DeepMind, and Anthropic, providing potential motives.
Earlier this year, the U.S. Department of Justice (DoJ) indicted a former Google software engineer for stealing proprietary information and attempting to use it at two AI-related technology companies in China, including one he founded in May 2023.
“If Chinese entities are restricted from accessing AI development technologies, Chinese-aligned cyber actors may target individuals with access to that information to further Chinese development goals,” Proofpoint added.
