Deuterbear RAT Leveraged by Chinese Hackers To Launch Cyber Espionage Campaigns

Recent cybersecurity research has unveiled the use of a remote access trojan (RAT) named Deuterbear by the China-linked BlackTech hacking group in their cyber espionage campaigns within the Asia-Pacific region.

According to Trend Micro researchers Pierre Lee and Cyris Tseng, Deuterbear shares similarities with the Waterbear malware but includes enhancements such as support for shellcode plugins, avoidance of handshakes during RAT operation, and the use of HTTPS for command-and-control (C&C) communication. Notable advancements in Deuterbear over Waterbear include a shellcode format, anti-memory scanning capabilities, and a shared traffic key with its downloader.

Deuterbear has other ties

BlackTech, active since at least 2007, is also known by various names such as Circuit Panda, Earth Hundun, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard. Historically, this group has deployed the Waterbear malware for nearly 15 years. However, campaigns observed since October 2022 have incorporated the updated Deuterbear variant.

Waterbear's method involves using a patched legitimate executable for DLL side-loading to launch a loader that decrypts and executes a downloader, which then contacts a C&C server to retrieve the RAT module. The module is fetched twice from attacker-controlled infrastructure: the first instance loads a Waterbear plugin that launches a different version of the downloader, which then retrieves the RAT module from another C&C server. Essentially, the initial Waterbear RAT serves as a plugin downloader, while the subsequent one acts as a backdoor to gather sensitive information from the compromised system using 60 commands.

Deuterbear infection methods may evade detection

Deuterbear follows a similar infection pathway but introduces certain modifications. The first stage uses a loader to launch a downloader that connects to the C&C server to fetch Deuterbear RAT. This intermediary step establishes persistence through a second-stage loader via DLL side-loading. This loader then executes another downloader, which once again downloads the Deuterbear RAT for data theft. Researchers note that only the second stage of Deuterbear is typically present on infected systems, as all first-stage components are removed post-persistence installation, making detection and analysis more challenging for threat researchers.

Deuterbear is a streamlined version of Waterbear, retaining fewer commands but incorporating a plugin-based approach for added functionality. Trend Micro notes that Waterbear and Deuterbear have evolved independently rather than one replacing the other.

SugarGh0st RAT Targeting U.S. AI Organizations

In related news, Proofpoint has detailed a targeted cyber campaign against U.S. organizations involved in artificial intelligence, using a malware called SugarGh0st RAT. This customized variant of Gh0st RAT has previously targeted Central and East Asia. The attack, linked to a Chinese-speaking threat actor, involves phishing messages with AI-themed content to deliver the SugarGh0st payload via a JavaScript dropper. The May 2024 campaign targeted fewer than ten individuals, potentially to steal non-public information about generative AI, amid rising U.S. efforts to limit China's access to AI technologies.

This context includes the U.S. Department of Justice's indictment of a former Google software engineer for stealing proprietary information to use at AI-affiliated technology companies in China. The focus on U.S. AI entities suggests a strategic motive to bolster China's AI development amid restricted access to advanced technologies from leading companies like OpenAI and Google DeepMind.