Keypoints
- Earth Hundun (aka BlackTech) maintains and updates the Waterbear backdoor family, with more than 10 versions observed since 2009.
- Waterbear loaders use two main decryption patterns: a salted RC4 routine with evolving obfuscation and a registry-stored encrypted downloader decrypted via CryptUnprotectData on the infected host.
- Operators employ DLL sideloading by patching legitimate executablesâ import tables to load malicious DLL loaders, enabling stealthy execution.
- Downloaders implement multiple anti-analysis measures: large 0x00 padding, debugger and sandbox/time checks, and anti-memory-scanning that encrypts function blocks and relocates decrypted code.
- Waterbearâs C2 protocol uses a 10-byte header with salted RC4 (KEY_1 / KEY_RANDOM / KEY_2) and typically delivers a PE RAT; Deuterbear switches to HTTPS, RSA-for-key-exchange, and delivers shellcode RATs.
- Deuterbearâs loader adds registry-based CLSID/AppID lookups and multi-step decryption (XOR + CryptUnprotectData variations) and executes decrypted functions in newly allocated virtual memory to hinder memory scanning.
MITRE Techniques
- [T1574.002] Hijack Execution Flow: DLL Side-Loading â Attackers âpatched the legitimate executable to modify the import tableâ to add the malicious DLL and perform DLL sideloading (âpatched the legitimate executable to modify the import tableâ).
- [T1140] Deobfuscate/Decode Files or Information â Downloaders use RC4 or CryptUnprotectData to decrypt the encrypted downloader (âuses RC4 or CryptUnprotectData to decrypt encrypted downloaderâ).
- [T1027.001] Obfuscated Files or Information: Binary Padding â The downloader evades detection by âadding a large amount of padding with 0x00 around the beginning and end to avoid detectionâ (âadding a large amount of padding with 0x00 around the beginning and end to avoid detectionâ).
- [T1573] Encrypted Channel â Deuterbear âenables HTTPS tunnelâ and uses RSA/RC4 to conceal C2 traffic (âenables HTTPS tunnelâ).
- [T1071.001] Command and Control: Application Layer Protocol â Downloaders communicate with C2 using HTTP/HTTPS for staged retrieval of the RAT (âDownloaders communicate with C&C by HTTP/HTTPSâ).
- [T1480] Execution Guardrails â Decryption depends on registry-stored values and target-specific CLSIDs, indicating execution guardrails targeting particular registry paths (âQuery password from registry ⌠with key âAppIDââ).
- [T1497.003] Virtualization/Sandbox Evasion: Time Based Evasion â Downloaders check sandbox behavior using API calls and Sleep to detect non-normal operation/time skew (âChecking sandbox environment by API, Sleep, which is normal operationâ).
- [T1622] Debugger Evasion â The loader âchecks the debugger mode by process timeâ to detect debugger presence (âchecks the debugger mode by process timeâ).
- [T1012] Query Registry â Deuterbearâs loader queries registry CLSID/AppID entries to retrieve passwords and encrypted downloader paths (âQuery password from registry ⌠with key âAppIDââ).
- [T1129] Shared Modules â Shellcode dynamically loads DLLs/modules as part of execution flow (report notes âDynamically loads the DLLs through the shellcodeâ) (âDynamically loads the DLLs through the shellcodeâ).
- [T1041] Exfiltration Over C2 Channel â The RAT sends collected data back to C2 over the established encrypted channel (âSends collected data to C&Câ).
Indicators of Compromise
- [File hash] Downloader sample context â 6b9a14d4d9230e038ffd9e1f5fd0d3065ff0a78b52ab338644462864740c2241 (associated with a downloader that used internal C2 IP), and other hashes in the IOC list.
- [IP address] Internal C2 context â 192.168.11[.]2 used as a C&C server by a downloader sample (suggests use of internal/jump hosts).
- [IOC list / reference] Consolidated IOC file â https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/d/cyberespionage-group-earth-hundun%27s-continuous-refinement-of-waterbear-and-deuterbear/ioc-earth-hundun.txt (contains full list of hashes, domains, and IPs).
Waterbear and Deuterbear follow a staged loaderâdownloaderâRAT flow with distinct technical differences. Loaders often use a legitimate executable patched to sideload a malicious DLL; recent Waterbear loaders decrypt embedded downloaders using a salted RC4 routine (with increasing obfuscation in KSA/PRGA) or place encrypted downloaders in the registry and decrypt them locally via CryptUnprotectData. The loader then executes shellcode which performs anti-memory scanning by decrypting function blocks only when needed, relocating the recovered function to another memory region, executing it, and re-encrypting it to impede scanning.
The downloader stage refines anti-analysis and communication: Waterbearâs protocol uses a 10-byte custom header and a KEY_RANDOM/KEY_1/KEY_2 salted-RC4 scheme (victim-generated KEY_RANDOM) and typically receives a PE RAT; it also pads encrypted payloads with long 0x00 blocks to evade AV. Deuterbear, active since 2022, changes the chain by enforcing registry-based decryption parameters (CLSID/AppID entries), performing multi-step XOR+CryptUnprotectData decryptions, enabling an HTTPS tunnel, and using an RSA key-exchange where the victim generates an RSA public key and the C2 returns RC4 keys encrypted by that RSA. Deuterbear delivers the next-stage as shellcode, uses a compact 5-byte header, and performs anti-memory scanning by decrypting functions into newly allocated virtual memory for execution.
Configuration layouts differ and are important for detection: Waterbear configs store encryption keys, version, C2 addresses XORed with 0xFF, RC4 traffic keys, API/address lists, and function offsets (example offsets shown in Table 1); Deuterbear uses a different signature/key layout (signature 00 00 01 00, C2 key areas, execution-time bounds, and an encrypted C2 block) and specifies execution time windows to limit when payloads run. These differences (decryption flow, C2 key exchange, transport, and RAT format) are why Deuterbear is treated as a distinct downloader family from classic Waterbear.
Read more: https://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html