Cybersecurity experts have unveiled further details regarding a remote access trojan (RAT) termed Deuterbear, employed by the China-affiliated BlackTech hacking syndicate as part of a cyber-espionage initiative targeting the Asia-Pacific region this year.
“Deuterbear, akin to Waterbear in several aspects, exhibits enhanced capabilities including support for shellcode plugins, eschewing handshakes for RAT operation, and leveraging HTTPS for command-and-control (C&C) communication,” Trend Micro researchers Pierre Lee and Cyris Tseng disclosed in a new analysis.
“Juxtaposing the two malware variants, Deuterbear utilizes a shellcode format, features anti-memory scanning techniques, and shares a traffic key with its downloader, unlike Waterbear.”
Active since at least 2007, BlackTech is also recognized by the broader cybersecurity community under aliases such as Circuit Panda, Earth Hundun, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard.
The group’s cyber incursions have historically involved deploying a malware known as Waterbear (also dubbed DBGPRINT) for nearly 15 years, with campaigns observed since October 2022 incorporating an updated iteration called De
uterbear.
Waterbear is disseminated through a compromised legitimate executable, exploiting DLL side-loading to initiate a loader that decrypts and executes a downloader, which then contacts a C&C server to retrieve the RAT module.
Notably, the RAT module is retrieved twice from the attacker-controlled infrastructure; the initial instance loads the Waterbear plugin, which subsequently launches an alternate version of the Waterbear downloader to fetch the RAT module from another C&C server.
In essence, the first Waterbear RAT acts as a downloader, while the second Waterbear RAT serves as a backdoor, exfiltrating sensitive data from the compromised host via an array of 60 commands.
The infection trajectory for Deuterbear parallels that of Waterbear, incorporating a dual-stage process to install the RAT backdoor component, albeit with certain modifications.
In the initial stage, a loader launches a downloader, which connects to the C&C server to fetch Deuterbear RAT, establishing persistence through a second-stage loader via DLL side-loading.
This loader ultimately executes a downloader, which again retrieves the Deuterbear RAT from a C&C server for data exfiltration.
“In the majority of infected systems, only the second stage Deuterbear is present,” the researchers noted. “All components of the first stage Deuterbear are completely eradicated post-‘persistence installation.'”
“This approach effectively obfuscates their tracks and hinders the malware from being readily analyzed by threat researchers, particularly in simulated environments as opposed to actual victim systems.”
Deuterbear RAT is a more streamlined version of its predecessor, retaining a limited set of commands in favor of a plugin-based model to incorporate additional functionality.
“Waterbear has undergone continuous evolution, culminating in the emergence of a new malware, Deuterbear,” Trend Micro observed. “Interestingly, both Waterbear and Deuterbear continue to evolve independently, rather than one supplanting the other.”
Targeted Campaign Delivers SugarGh0st RAT
The revelation coincides with Proofpoint detailing a highly targeted cyber campaign aimed at U.S. organizations involved in artificial intelligence endeavors, encompassing academia, private industry, and government, to deploy a malware named SugarGh0st RAT.
The enterprise security firm is monitoring the nascent activity cluster under the designation UNK_SweetSpecter.
“SugarGh0st RAT is a remote access trojan, a bespoke variant of Gh0st RAT, an older commodity trojan typically utilized by Chinese-speaking threat actors,” the company reported. “Historically, SugarGh0st RAT has been deployed to target users in Central and East Asia.”
SugarGh0st RAT was first documented late last year by Cisco Talos in connection with a campaign targeting the Uzbekistan Ministry of Foreign Affairs and South Korean users since August 2023. These intrusions were attributed to a suspected Chinese-speaking threat actor.
The attack sequences involve dispatching AI-themed phishing messages containing a ZIP archive, which houses a Windows shortcut file to deploy a JavaScript dropper responsible for launching the SugarGh0st payload.
“The May 2024 campaign appeared to target fewer than 10 individuals, all of whom seem to have a direct link to a prominent U.S.-based artificial intelligence organization, according to open source research,” the company stated.
The ultimate objective of the attacks remains ambiguous, though it’s speculated that it might be an effort to pilfer non-public information about generative artificial intelligence (GenAI).
Additionally, the targeting of U.S. entities aligns with news reports that the U.S. government is contemplating restricting China’s access to GenAI tools from companies such as OpenAI, Google DeepMind, and Anthropic, offering potential motives.
Earlier this year, the U.S. Department of Justice (DoJ) indicted a former Google software engineer for misappropriating proprietary information from the company and attempting to leverage it at two AI-affiliated technology companies in China, including one he founded around May 2023.
“It is conceivable that if Chinese entities are restricted from accessing technologies underpinning AI development, Chinese-aligned cyber actors may target those with access to that information to advance Chinese development objectives,” the company concluded.