Threat Research

Tracking the Progression of Earth Hundun’s Cyberespionage Campaign in 2024

TrendMicro

Earth Hundun’s Waterbear and Deuterbear malware families show evolving infection chains, C2 communications, and anti-analysis tactics across 2024 campaigns. The report compares Waterbear’s downloader/RAT progression and Deuterbear’s shellcode plugins, HTTPS C2, and handshake-free operation, highlighting anti-analysis and detection evasion improvements. #EarthHundun #Waterbear #Deuterbear

Keypoints

  • Earth Hundun targets the Asia-Pacific region and uses updated tactics for infection spread and communication.
  • The campaign analyzes Waterbear (first-stage downloader and RAT) and Deuterbear (second-stage RAT with plugins) and their C2 interactions.
  • Deuterbear introduces shellcode plugins, avoids handshakes in RAT operation, and uses HTTPS for C2 communication, representing an evolution from Waterbear.
  • Waterbear and Deuterbear show anti-analysis and detection evasion measures, including memory, registry, and network handling techniques.
  • The two malware families share some payload traits but differ in plugin formats, key sharing, and infection flow.
  • MITRE ATT&CK-aligned behaviors are mapped across execution, persistence, defense evasion, discovery, lateral movement, collection, exfiltration, and C2 categories, with detailed technique codes.

MITRE Techniques

  • [T1129] Shared Modules – Dynamically loads the DLLs through the shellcode. “Dynamically loads the DLLs through the shellcode”
  • [T1106] Native API – Dynamically loads the APIs through the shellcode. “Dynamically loads the APIs through the shellcode”
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – Uses modified legitimate executable to load the malicious DLL. “Uses modified legitimate executable to load the malicious DLL”
  • [T1547.012] Boot or Logon Autostart Execution: Print Processors – Deuterbear abuses print processors to run malicious DLLs during system…
  • [T1055] Process Injection – Waterbear and Deuterbear inject the targeted process. “Waterbear and Deuterbear inject the targeted process”
  • [T1140] Deobfuscate/Decode Files or Information – Uses RC4 or CryptUnprotectData to decrypt encrypted downloader. “Uses RC4 or CryptUnprotectData to decrypt encrypted downloader”
  • [T1480] Execution Guardrails – Targets specific path/registry in the victim’s environment. “Targets specific path/registry in the victim’s environment”
  • [T1497.003] Time Based Evasion – Deuterbear checks sandbox by API, Sleep, whether normal operation. “Deuterbear checks sandbox by API, Sleep, whether normal operation.”
  • [T1622] Debugger Evasion – Deuterbear checks debugger mode by process time. “Deuterbear checks debugger mode by process time”
  • [T1083] File and Directory Discovery – Waterbear and Deuterbear RAT searches files and directories. “searches files and directories”
  • [T1016.001] Internet Connection Discovery – Downloaders check for internet connectivity on compromised systems. “System Network Configuration Discovery: Internet Connection Discovery”
  • [T1049] System Network Connections Discovery – Waterbear and Deuterbear RAT lists network connections to or from the compromised system. “System Network Connections Discovery”
  • [T1057] Process Discovery – Waterbear and Deuterbear RAT searches specific process. “Process Discovery”
  • [T1082] System Information Discovery – get detailed information about OS and hardware. “System Information Discovery”
  • [T1012] Query Registry – Queries data from registry to decrypt downloader. “Query Registry”
  • [T1021.006] Remote Services: Windows Remote Management – Waterbear and Deuterbear RAT control remote shell. “Remote Services: Windows Remote Management”
  • [T1005] Data from Local System – Collects basic information of victim. “Data from Local System”
  • [T1041] Exfiltration Over Command and Control Channel – Sends collected data to C&C. “Exfiltration Over Command-and-Control Channel”
  • [T1071.001] Application Layer Protocol: Web Protocols – Downloaders communicate with C&C by HTTP/HTTPS. “Application Layer Protocol: Web Protocols”
  • [T1573] Encrypted Channel – Employs RC4/RSA to conceal command and control traffic. “Encrypted Channel”
  • [T1132.002] Data Encoding: Non-Standard Encoding – Encodes traffic with a non-standard RC4 to make the content of traffic more difficult to detect. “Data Encoding: Non-Standard Encoding”

Indicators of Compromise

  • [URL] No explicit IOCs listed in article; IOC data available in linked file – https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/e/tracking-the-progression-of-earth-hundun-cyberespionage-campaign-in-2024.txt

Read more: https://www.trendmicro.com/en_us/research/24/e/earth-hundun-2.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint