Earth Hundun, a cyberespionage group, has launched attacks targeting various sectors, including technology, research, and government, using Waterbear, a complex backdoor malware with anti-analysis and antivirus evasion techniques.
Waterbear employs a modular approach with a DLL loader and RC4-encrypted payloads, and frequent updates by the developers have enhanced its evasion capabilities, including improvements to the loader, downloader, and communication protocol.
Waterbear, a malware active since 2009, has seen over 10 versions, with versions easily identifiable by configuration data and despite solutions for older variants, attackers keep updating infection methods.
It allows for multiple Waterbear versions to coexist within a single compromised network and interestingly, some downloaders use internal IP addresses for C&C servers, suggesting attackers have deep knowledge of victim networks and could potentially use multi-layered jump servers for evasion, which highlights the advanced nature of Waterbear attacks, designed for stealthy persistence within compromised systems.
Attack chain and TTPs of Waterbear:
Waterbear employs a two-pronged approach for its custom DLL loader, as in the first method, it uses a legitimate executable’s import table, patching it to include the malicious DLL at a specific location.
It enables the loader to be seamlessly sideloaded when the legitimate program is launched and on the side, Waterbear can pre-place an encrypted downloader in the registry, which is then decrypted using machine-specific information, making it harder to detect and analyze during forensic investigations.
According to Trend Micro, Earth Hundun’s downloader employs anti-detection and anti-analysis techniques by bypassing antivirus by padding the malware with zeroes, and to thwart memory scanners, it decrypts functions before use, encrypts them after, and relocates them in memory.
Configuration data, located at the beginning of the malware, includes the decryption key, sleep time, version number, C&C server addresses (XOR-encrypted), port numbers, RC4 keys for communication, and a list of function and API addresses.
The Waterbear downloader retrieves the next stage RAT from the C&C server using a custom connection with multiple stages of encryption. First, the downloader sends a random key (KEY_RANDOM) to the C&C server encrypted with a key derived from KEY_1.
The C&C server responds with a verification packet containing KEY_1, encrypted with a variant of the same key derivation method and after verification, the C&C server sends the RAT size and the RAT data in segments, both encrypted with a key derived from KEY_RANDOM.
Waterbear, a RAT, has expanded its capabilities since 2020 as it now offers file management (enumerate, list, upload/download, manipulate), process management (enumerate, terminate, suspend/resume), system manipulation (screenshot, hide/show windows, get system info), registry access (enumerate, edit keys and values), and remote shell functionalities.
Details of the Deuterbear:
Deuterbear Downloader, a successor to Waterbear, emerged in 2022 by featuring a distinct decryption flow using registry queries and API calls, and the downloaded component utilizes HTTPS tunneling and various anti-analysis techniques like function obfuscation, debugger checks, and memory scanning.
Configuration data stored on the victim’s machine defines communication details, execution time windows, and encryption keys. Communication with the command-and-control server involves a combination of unencrypted and RSA/RC4-encrypted channels, as the downloader itself uses a simple 5-byte header format to describe data packets.
Deuterbear RAT employs a two-step encryption process for communication with the C&C server, as first the downloader generates an RSA public key and sends it to the server and then the server responds with RC4 keys encrypted with the received public key.
After verifying the decryption, the downloader sends an encrypted download request containing a signature, whereas the C&C server responds with the RAT size and the RAT itself, both encrypted with RSA and the downloader retrieves the RAT in chunks using the provided size information.
Never forget to check out our YouTube channel, ETHICAL EMPIRE, and keep reading our exciting blogs. Until next time, stay curious, stay secure, and keep exploring the fascinating world of cyber security. See you soon, bye!