The Asia-Pacific region has become a focal point for cyber attacks from the threat actor BlackTech, which has targeted technology, research, and government sectors in recent intrusions. This wave of attacks introduces an updated version of the modular backdoor known as Waterbear, along with its advanced successor, Deuterbear.
In a recent analysis, Waterbear is known for its complexity, as it uses a number of evasion mechanisms to minimize the chance of detection and analysis. They highlighted that the latest version of Waterbear, also known as Deuterbear, includes changes such as anti-memory scanning and decryption routines, distinguishing it as a different malware entity from the original Waterbear.
BlackTech, also known as Earth Hundun, has been active since at least 2007 and is known by various aliases, including Circuit Panda, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard. In a joint advisory published in September, cybersecurity and intelligence agencies from Japan and the U.S. attributed BlackTech to China, noting its ability to modify router firmware and exploit routers’ domain-trust relationships for further infiltration.
BlackTech employs custom malware, dual-use tools, and living-off-the-land tactics, such as disabling logging on routers, to conceal its operations. After gaining access to a target network and administrator privileges on network edge devices, BlackTech often modifies firmware to hide its activity and maintain persistence.
Waterbear, a core component of BlackTech’s arsenal since 2009, is continuously updated with improved defense evasion features. The remote access trojan supports nearly 50 commands, enabling a wide range of activities, including process enumeration, file operations, remote shell execution, screenshot capture, and Windows Registry modification.
Deuterbear, introduced in 2022, employs HTTPS encryption for network traffic protection and implements various updates in malware execution to evade detection. Its downloader uses obfuscation methods to resist anti-analysis, ensuring effective communication with the command-and-control server.
“Since 2009, Earth Hundun has continuously evolved and refined the Waterbear backdoor, as well as its many variants and branches,” noted the researchers. The introduction of Deuterbear marks another step in BlackTech’s sophisticated cyber attack campaigns, emphasizing the need for heightened cybersecurity measures in affected sectors.
To prevent cyber attacks from BlackTech and tools like Deuterbear, ensure your organization follows best practices for cybersecurity. Implement strong, unique passwords for all accounts and enable multi-factor authentication where possible. Regularly update software and systems to patch vulnerabilities. Additionally, use reputable antivirus software and conduct regular security audits to detect and mitigate potential threats.