Cyber Threat Report: 'Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear'
| Report Author | TrendMicro |
|---|---|
| Publication Date | 2024-04-11 |
| Original Reporting | Source |
| Related Intrusion Sets | BlackTech , Earth Hundun |
| Victim Sectors | Technology, National Government |
This blog post from researchers at Trend Micro discusses the cyberespionage group Earth Hundun and its malware, Waterbear and Deuterbear, which they have observed targeting technology, research, and government sectors in the Asia-Pacific region. According to the post, Waterbear includes complex anti-detection techniques and has evolved across over 10 versions since 2009, with the latest updates further enhancing evasion tactics. The researchers also refer to the latest version as Deuterbear. The blog provides detailed technical analysis of the malware and link to indicators of compromise.
Cyber Threat Graph Context
Explore how this report relates to the wider threat graph
Mitigations to defend against the techniques in this report
Data Loss Prevention
Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)Do Not Mitigate
This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Restrict File and Directory Permissions
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.Code Signing
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.Execution Prevention
Block execution of code on a system through application control, and/or script blocking.Network Intrusion Prevention
Use intrusion detection signatures to block traffic at network boundaries.SSL/TLS Inspection
Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.Application Developer Guidance
This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.Update Software
Perform regular software updates to mitigate exploitation risk.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.Identified MITRE ATT&CK Techniques
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1005 | Data from Local System | Collection |
| T1016.001 | Internet Connection Discovery | Discovery |
| T1057 | Process Discovery | Discovery |
| T1480 | Execution Guardrails | Defense Evasion |
| T1622 | Debugger Evasion | Defense Evasion, Discovery |
| T1547.012 | Print Processors | Persistence, Privilege Escalation |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1071.001 | Web Protocols | Command and Control |
| T1083 | File and Directory Discovery | Discovery |
| T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
| T1132.002 | Non-Standard Encoding | Command and Control |
| T1129 | Shared Modules | Execution |
| T1049 | System Network Connections Discovery | Discovery |
| T1027.001 | Binary Padding | Defense Evasion |
| T1573 | Encrypted Channel | Command and Control |
| T1082 | System Information Discovery | Discovery |
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1497.003 | Time Based Evasion | Defense Evasion, Discovery |
| T1012 | Query Registry | Discovery |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1106 | Native API | Execution |