Hackers always keep evolving their tools to stay ahead of defense systems and exploit new vulnerabilities.
Cybersecurity researchers at Trend Micro reported that the Earth Hundun (BlackTech) cyberespionage group has seen a rise in cyberattacks.
These attacks exploit the Waterbear virus family, which is renowned for its intricate anti-analysis skills and regularly revised loaders, downloaders, and communication protocols by developers.
The most recent version, Deuterbear, uses more elaborate evasion strategies that necessitate a detailed examination of this multifaceted malware weapons stockpile, which is used for spying, especially in the Asia Pacific region.
Since 2009, Waterbear has undergone more than ten versions, with developers continuously working on infection processes until the time when a successful compromise was achieved which resulted in multiple coexistence of these versions among victims.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by
other email security solutions. .
It is important to note that some Waterbear downloaders use internal IP addresses as their C&C servers, which suggests that they know the target networks deeply and use multilayer jump servers to persist stealthily and control compromised environments, according to the report.
The fact that these sophisticated techniques are designed for evasion and longevity reflects the advanced nature of these attacks as well as the determined efforts of the threat actors behind this constantly changing malware family.
Deuterbear is the latest Waterbear downloader variant which was active since 2022 and represents a distinct malware entity separate from the original Waterbear downloader category.
This classification originates from significant updates to its decryption flow and configuration structure, marking a notable evolution in the malware’s capabilities.
Comparison Between Deuterbear And Waterbear
Here below, we have mentioned all the key differences between the Deuterbear downloader and the Waterbear downloader:-
The Earth Hundun group has been incessantly transforming Waterbear into a more advanced version known as Deuterbear since 2009.
Using HTTPS encryption, debugger/sandbox checks, changed decryption, and updated protocols makes Deuterbear the most recent in sophistication infection methods and anti-analysis mechanisms.
Earth Hundun still penetrates Asia-Pacific targets despite these defenses, with an ever-improving Waterbear that poses considerable difficulties.
Indicators Of Compromise
Files SHA-256 Detection Name
- e669aaf63552430c6b7c6bd158bcd1e7a11091c164eb034319e1188d43b5490c Trojan.Win64.WATERBEAR.ZTLC
- 0da9661ed1e73a58bd1005187ad9251bcdea317ca59565753d86ccf1e56927b8 Trojan.Win64.WATERBEAR.ZTLC.enc
- ca0423851ee2aa3013fe74666a965c2312e42d040dbfff86595eb530be3e963f Trojan.Win64.WATERBEAR.ZTLA
- 6dcc3af7c67403eaae3d5af2f057f0bb553d56ec746ff4cb7c03311e34343ebd Trojan.Win64.WATERBEAR.ZTLC.enc
- ab8d60e121d6f121c250208987beb6b53d4000bc861e60b093cf5c389e8e7162 Trojan.Win64.WATERBEAR.ZTLB
- a569df3c46f3816d006a40046dae0eb1bc3f9f1d4d3799703070390e195f6dd4 Trojan.Win64.WATERBEAR.ZTLC.enc
- e483cae34eb1e246c3dd4552b2e71614d4df53dc0bac06076442ffc7ac2e06b2 Trojan.Win64.WATERBEAR.ZTLB
- c97e8075466cf91623b1caa1747a6c5ee38c2d0341e0a3a2fa8fcf5a2e6ad3a6 Trojan.Win64.WATERBEAR.ZTLB
- 6b9a14d4d9230e038ffd9e1f5fd0d3065ff0a78b52ab338644462864740c2241 Trojan.Win64.WATERBEAR.ZTLB.enc
- d665aea7899ad317baf1b6e662f40a10d42045865f9eea1ab18993b50dd8942d Trojan.Win64.DEUTERBEAR.ZTLC
- dc60d8b1eff66bfb91573c8f825695e27b0813a9891bd0541d9ff6a3ae7e8cf2 Trojan.Win64.DEUTERBEAR.ZTLC.enc
- 4540132def6dfa6d181cabf1e1689bede5ecfef6450b033fecb0aeb1fe1b3fe9 Trojan.Win64.DEUTERBEAR.ZTLC
- 8f26069b6b49391f245b8551aa42ca4814c52e7f52d0343916f5262557bf5c52 Trojan.Win64.DEUTERBEAR.ZTLC.enc
- 74efa0ce94f4285404108d3d19bf2ff64c7c3a1c85e9b59cf511b56f9d71dc05 Trojan.Win64.DEUTERBEAR.ZTLC
- d6ac4f364b25365eb4a5636beffc836243743ecf7ef4ec391252119aed924cab Trojan.Win64.DEUTERBEAR.ZTLC.enc
Network
- freeprous.bakhell[.]com:443
- cloudflaread.quadrantbd[.]com:443
- showgyella.quadrantbd[.]com:443
- rscvmogt.taishanlaw[.]com:443
- smartclouds.gelatosg[.]com:443
- suitsvm003.rchitecture[.]org:443
- cloudsrm.gelatosg[.]com:443
Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.