In a recent report, the progression of Earth Hundun’s cyberespionage campaign in 2024 has been tracked, shedding light on two of the tools used by the threat actor. Waterbear and Deuterbear, both part of Earth Hundun’s arsenal, have been analyzed in terms of their operation. The report details their stages of infection, command and control (C&C) interaction, and malware behavior.

Deuterbear, an evolution from Waterbear, showcases advancements in capabilities such as shellcode plugins support, RAT operation without handshakes, and the use of HTTPS for C&C communication. The comparison between the two variants reveals differences in shellcode format, anti-memory scanning, and traffic key sharing.

Earth Hundun has been found to target the Asia-Pacific region using Waterbear and Deuterbear. Deuterbear was first observed in October 2022 and has since been a part of subsequent campaigns by the group. The evolution from Waterbear to Deuterbear indicates Earth Hundun’s development of tools for anti-analysis and detection evasion.

The report delves into the intricate workings of the downloader, infection flow, and anti-analysis techniques. It also provides insights into the behaviors of the RAT used in Earth Hundun’s cyberespionage campaign. The report further examines the installation pathway of Deuterbear and the similarities and differences between Waterbear and Deuterbear in terms of functionality, evasion, and communication.

The findings point to continuous evolution in Earth Hundun’s tactics, with tools like Waterbear and Deuterbear being refined for enhanced capabilities. Organizations can defend themselves from Earth Hundun attacks by conducting memory scans for downloads and detecting the presence of the Deuterbear malware within their systems. The report also touches on MITRE ATT&CK tactics, techniques, and IDs employed by Earth Hundun in their cyberespionage activities.

For those interested in the indicators of compromise related to the tracked cyberespionage campaign, more information can be accessed via the provided link.

, , , , ,
Show Comments

Fabio

Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles