Cyber Security News

Earth Hundun Hacker Group Employs Advanced Tactics to Evade Detection

Earth Hundun, a notable Asia-Pacific malware organization, uses Waterbear and Deuterbear.

We first encountered Deuterbear in Earth Hundun’s arsenal in October 2022, signaling its implementation.

The industry distribution of endpoints infected by Waterbear and Deuterbear since 2022.

This report describes the ultimate Remote Access Trojan (RAT) we recovered from a C&C server from an Earth Hundun campaign in 2024.

We examined the Waterbear downloader’s network actions at the beginning. A case study shows how the Waterbear RAT and its plugins were deployed in the second phase and how Waterbear downloaders spread across networks, complicating detection and monitoring.

Deuterbear now supports plugin shellcode formats and runs RAT sessions without handshakes.

Trendmicro analysis of Earth Hundun’s Waterbear and Deuterbear malware interactions with targets will demonstrate its sophisticated tactics.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Waterbear Case Study

A previous campaign’s flowchart shows Waterbear’s activity in a victim’s network and its proliferation of downloaders.

One of the Waterbear campaign attack chains

Initial Stage

In our previous report, Waterbear used three files for the initial download.

These include a modified legitimate executable, loader, and encrypted downloader.

The Second Stage

Waterbear RAT (A) downloaded the plugin via RAT command 1010 and activated its first export function, “Start,” to inject it into a process.

Depending on the target process architecture, the plugin includes unencrypted Waterbear downloaders 0.27 and 0.28.

Unlike 32-bit processes, 64-bit processes run 0.28, boosting downloads.

This hides their trails or connects to different C&C servers in the victim’s network, showing the threat actor’s communication flexibility.

Waterbear RAT

Command Capabilities:

  • File Management: Commands for enumerating disk drives, listing files, uploading and downloading files, renaming, creating folders, deleting files, executing files, moving files, and disguising file metadata.
  • Window Management: Commands for enumerating, hiding, showing, closing, minimizing, maximizing windows, taking screenshots, and setting screenshot events.
  • Process Management: Commands for enumerating, terminating, suspending, resuming processes, and retrieving process module information.
  • Network Management: Commands for getting extended TCP tables and setting TCP entry states.
  • Service Management: Commands for enumerating and manipulating services.
  • Configuration Management: Commands for getting and setting C&C configurations.
  • Remote Shell Management: Commands for starting, exiting, and getting the PID of a remote shell.
  • Registry Management: Commands for enumerating, creating, setting, and deleting registry keys and values.
  • Basic Control: Commands for getting the current window, setting infection marks, and terminating connections and RAT processes.
  • Proxy Management: Commands for updating C&C IP addresses, proxying data, shutting down connections, and managing socket handles.

Victim Information Transmission:

Before executing backdoor commands, Waterbear sends detailed victim information to the C&C server, including admin status, system version, host and user names, window text, adapter info, process ID, and infection marks.

Deuterbear RAT

Installation Pathway:

  • Deuterbear uses a two-stage installation process. The first stage involves decrypting and deploying a downloader, which surveys the system and installs the second-stage components.
  • The first stage components are removed after persistence is achieved to avoid detection.

Command Capabilities:

  • File Management: Commands for listing files, uploading and downloading files, renaming files, and executing files.
  • Process Management: Commands for enumerating and terminating processes.
  • Configuration Management: Commands for collecting and updating downloader configuration data.
  • Remote Shell Management: Commands for starting, exiting, and getting the PID of a remote shell.
  • Basic Control: Commands for getting the current window, setting infection marks, and terminating connections and RAT processes.
  • Plugins Management: Commands for downloading, uninstalling, and executing plugins, including shellcodes and PE DLLs

Victim Information Transmission:

Similar to Waterbear, Deuterbear sends victim information to the C&C server before executing backdoor commands, including admin status, user and host names, OS version, window text, adapter info, process ID, and infection marks.

Differences from Waterbear:

Deuterbear retains fewer commands (20 compared to over 60 for Waterbear) but supports more plugins to enhance flexibility.

It uses the same HTTPS channel and RC4 traffic key as the downloader, eliminating the need for a handshake with the C&C server to update communication protocols.

Waterbear evolved into Deuterbear, a new malware.

Interestingly, Waterbear and Deuterbear evolve separately rather than replacing each other.

Memory scans for downloads and the Waterbear and Deuterbear RATs can protect organizations from Earth Hundun attacks. Also, finding the registry used to decrypt the Deuterbear downloader can help find it in the system.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free


Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Bondnet Using High-Performance Bots For C2 Server

Threat actors abuse high-performance bots to carry out large-scale automated attacks efficiently. These bots can…

50 mins ago

Discord-Based Malware Attacking Orgs Linux Systems In India

Linux systems are deployed mostly in servers, in the cloud, and in environments that are…

55 mins ago

New Moonstone Sleet North Korean Actor Deploying Malicious Open Source Packages

In December 2023, we reported on how North Korean threat actors, particularly Jade Sleet, have…

3 hours ago

Life360 Breach: Hackers Accessed the Tile Customer Support Platform

Life360, a company known for its family safety services, recently fell victim to a criminal…

5 hours ago

Microsoft Delays Release of Controversial Windows AI Recall Tool Amid Privacy Concerns

Microsoft has announced that it will delay the broad release of its AI-powered Recall feature…

9 hours ago

SmokeLoader – A Modular Malware With Range Of Capabilities

Hackers misuse malware for diverse illicit intentions, including data theft, disrupting systems, espionage, or distortion…

23 hours ago