Earth Hundun Hacker Group Employs Advanced Tactics to Evade Detection

Earth Hundun, a notable Asia-Pacific malware organization, uses Waterbear and Deuterbear.

We first encountered Deuterbear in Earth Hundun’s arsenal in October 2022, signaling its implementation.

This report describes the ultimate Remote Access Trojan (RAT) we recovered from a C&C server from an Earth Hundun campaign in 2024.

We examined the Waterbear downloader’s network actions at the beginning. A case study shows how the Waterbear RAT and its plugins were deployed in the second phase and how Waterbear downloaders spread across networks, complicating detection and monitoring.

Deuterbear now supports plugin shellcode formats and runs RAT sessions without handshakes.

Trendmicro analysis of Earth Hundun’s Waterbear and Deuterbear malware interactions with targets will demonstrate its sophisticated tactics.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Waterbear Case Study

A previous campaign’s flowchart shows Waterbear’s activity in a victim’s network and its proliferation of downloaders.

Initial Stage

In our previous report, Waterbear used three files for the initial download.

These include a modified legitimate executable, loader, and encrypted downloader.

The Second Stage

Waterbear RAT (A) downloaded the plugin via RAT command 1010 and activated its first export function, “Start,” to inject it into a process.

Depending on the target process architecture, the plugin includes unencrypted Waterbear downloaders 0.27 and 0.28.

Unlike 32-bit processes, 64-bit processes run 0.28, boosting downloads.

This hides their trails or connects to different C&C servers in the victim’s network, showing the threat actor’s communication flexibility.

Waterbear RAT   

Command Capabilities:

1. File Management: Commands for enumerating disk drives, listing files, uploading and downloading files, renaming, creating folders, deleting files, executing files, moving files, and disguising file metadata.
2. Window Management: Commands for enumerating, hiding, showing, closing, minimizing, maximizing windows, taking screenshots, and setting screenshot events.
3. Process Management: Commands for enumerating, terminating, suspending, resuming processes, and retrieving process module information.
4. Network Management: Commands for getting extended TCP tables and setting TCP entry states.
5. Service Management: Commands for enumerating and manipulating services.
6. Configuration Management: Commands for getting and setting C&C configurations.
7. Remote Shell Management: Commands for starting, exiting, and getting the PID of a remote shell.
8. Registry Management: Commands for enumerating, creating, setting, and deleting registry keys and values.
9. Basic Control: Commands for getting the current window, setting infection marks, and terminating connections and RAT processes.
10. Proxy Management: Commands for updating C&C IP addresses, proxying data, shutting down connections, and managing socket handles.

Victim Information Transmission:

1. Before executing backdoor commands, Waterbear sends detailed victim information to the C&C server, including admin status, system version, host and user names, window text, adapter info, process ID, and infection marks.

Deuterbear RAT

Installation Pathway:

1. Deuterbear uses a two-stage installation process. The first stage involves decrypting and deploying a downloader, which surveys the system and installs the second-stage components.
2. The first stage components are removed after persistence is achieved to avoid detection.

Command Capabilities:

1. File Management: Commands for listing files, uploading and downloading files, renaming files, and executing files.
2. Process Management: Commands for enumerating and terminating processes.
3. Configuration Management: Commands for collecting and updating downloader configuration data.
4. Remote Shell Management: Commands for starting, exiting, and getting the PID of a remote shell.
5. Basic Control: Commands for getting the current window, setting infection marks, and terminating connections and RAT processes.
6. Plugins Management: Commands for downloading, uninstalling, and executing plugins, including shellcodes and PE DLLs

Victim Information Transmission:

1. Similar to Waterbear, Deuterbear sends victim information to the C&C server before executing backdoor commands, including admin status, user and host names, OS version, window text, adapter info, process ID, and infection marks.

Differences from Waterbear:

1. Deuterbear retains fewer commands (20 compared to over 60 for Waterbear) but supports more plugins to enhance flexibility.
2. It uses the same HTTPS channel and RC4 traffic key as the downloader, eliminating the need for a handshake with the C&C server to update communication protocols.
3. Waterbear evolved into Deuterbear, a new malware.
4. Interestingly, Waterbear and Deuterbear evolve separately rather than replacing each other.
5. Memory scans for downloads and the Waterbear and Deuterbear RATs can protect organizations from Earth Hundun attacks. Also, finding the registry used to decrypt the Deuterbear downloader can help find it in the system.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free