Cyber Threat Report: 'Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear'

This blog post from researchers at Trend Micro discusses the cyberespionage group Earth Hundun and its malware, Waterbear and Deuterbear, which they have observed targeting technology, research, and government sectors in the Asia-Pacific region. According to the post, Waterbear includes complex anti-detection techniques and has evolved across over 10 versions since 2009, with the latest updates further enhancing evasion tactics. The researchers also refer to the latest version as Deuterbear. The blog provides detailed technical analysis of the malware and link to indicators of compromise.

Data Loss Prevention

Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)

Do Not Mitigate

This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Code Signing

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

SSL/TLS Inspection

Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.

Application Developer Guidance

This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.

Update Software

Perform regular software updates to mitigate exploitation risk.

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Behavior Prevention on Endpoint

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.