Cybersecurity researchers have recently uncovered more details about Deuterbear, a remote access trojan (RAT) utilized by the China-linked hacking group BlackTech. This cyber espionage campaign has been active in the Asia-Pacific region this year.
Deuterbear: An Evolved Threat
First of all, according to Trend Micro researchers Pierre Lee and Cyris Tseng, Deuterbear exhibits significant advancements over its predecessor, Waterbear. These enhancements include:
- Support for shellcode plugins
- Operation without handshakes
- HTTPS for command-and-control (C&C) communication
- Anti-memory scanning
- Shared traffic key with its downloader
BlackTech, also known as Circuit Panda, Earth Hundun, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard, has been active since at least 2007. Traditionally, their cyber attacks have leveraged the Waterbear malware, but since October 2022, an updated version known as Deuterbear has been in use.
Waterbear’s Infection Pathway
Waterbear is delivered via a patched legitimate executable using DLL side-loading. This process involves:
- Launching a loader that decrypts and executes a downloader.
- The downloader contacts a C&C server to retrieve the RAT module.
- The RAT module is fetched twice from the attacker’s infrastructure.
The initial RAT serves as a plugin downloader, while the secondary RAT functions as a backdoor, capable of executing 60 commands to harvest sensitive information from the compromised host.
Deuterbear’s Infection Pathway
Deuterbear follows a similar two-stage infection process but with some variations:
- The first stage launches a downloader that connects to the C&C server to fetch Deuterbear RAT.
- The loader then establishes persistence through a second-stage loader via DLL side-loading.
- This final loader executes a downloader that retrieves Deuterbear RAT from the C&C server for information theft.
Researchers noted that only the second stage of Deuterbear is typically found on infected systems, as all components of the first stage are removed after establishing persistence. This tactic complicates analysis and protects the malware from detection in simulated environments.
The Rise of SugarGh0st RAT
In a related disclosure, Proofpoint detailed a highly targeted cyber campaign aimed at U.S. organizations involved in artificial intelligence, including academia, private industry, and government. The campaign, named UNK_SweetSpecter deploys the SugarGh0st RAT, a variant of the older Gh0st RAT used by Chinese-speaking threat actors.
Targeted Attack Details
The SugarGh0st RAT campaign, first documented by Cisco Talos in late 2023, targeted the Uzbekistan Ministry of Foreign Affairs and South Korean users. The May 2024 campaign focused on fewer than 10 individuals connected to a leading U.S.-based AI organization. The phishing attack involved AI-themed messages containing a ZIP archive with a Windows shortcut file, leading to a JavaScript dropper that deployed the SugarGh0st payload.
Potential Motives
While the exact goals of the campaign remain unclear, it is speculated that the attackers aim to steal non-public information about generative artificial intelligence (GenAI). This activity coincides with U.S. efforts to restrict China’s access to GenAI tools from companies like OpenAI, Google DeepMind, and Anthropic.
Additionally, a former Google software engineer was indicted earlier this year for stealing proprietary information and attempting to use it at AI-affiliated technology companies in China. This underscores the ongoing tensions and the potential for Chinese-aligned cyber actors to target U.S. entities with access to advanced AI technologies.
Conclusion
Finally, these findings highlight the continuous evolution of cyber threats and the sophistication of adversaries like BlackTech and the entities deploying SugarGh0st RAT. Staying informed and vigilant is crucial for organizations to defend against such advanced threats.
Leave a Reply