Earth Hundun

Earth Hundun, also known as BlackTech, is a cyberespionage-motivated threat actor active for several years in the Asia-Pacific region. Reported targeting includes technology, government, and research organizations. The group has been linked to attack operations observed in 2021 and to malware and tooling including Waterbear, Deuterbear, and Gh0stTimes. Trend Micro describes Waterbear as a long-running backdoor family used by Earth Hundun since 2009, with more than 10 versions and the ability for multiple versions to coexist in the same victim environment. Waterbear infection chains use legitimate executables for DLL side-loading, and in some cases patched legitimate executables by modifying the import table to load a DLL at ordinal 0. Loaders and downloaders use custom salted RC4 decryption, registry-stored encrypted payloads protected with CryptUnprotectData, binary padding to evade antivirus, and anti-memory-scanning behavior that decrypts functions just-in-time and re-encrypts them after use. Waterbear configuration can contain up to three C2 addresses XOR-encrypted with 0xFF, and some samples used internal IP addresses as C2s, suggesting knowledge of victim networks. Its downloader uses a custom RC4-based protocol with a 10-byte header to retrieve a next-stage RAT. Reported RAT capabilities include file operations, process and service manipulation, screenshots, remote desktop, registry operations, and remote shell. Since 2022, Trend Micro assesses that Earth Hundun has used a significantly updated downloader called Deuterbear, treated as a distinct malware entity because of major changes in decryption flow, configuration structure, and communications. Deuterbear obtains parameters and encrypted downloader locations from registry CLSID-related paths and values, uses XOR plus CryptUnprotectData in its decryption flow, protects traffic with HTTPS, and uses an RSA public/private keypair generated via Microsoft CryptoAPI to establish encrypted communications and receive RC4 keys from the C2 server. Reported anti-analysis features include broken functions with JMPs, debugger checks via process time, sandbox checks via Sleep/API behavior, time-window execution checks, and anti-memory-scanning that executes decrypted functions in new virtual memory. Deuterbear downloads the next-stage RAT as shellcode. JPCERT/CC reporting also associates BlackTech with Gh0stTimes, a malware family described as having code and functions similar to Gh0stRAT, and notes 2021 attack operations involving malware such as LAMICE, BUSYICE, SLEFMAKE, and SPIDERPIG, including activity that dropped SELFMAKE through ProxyLogon. No nation-state attribution is directly stated in the provided content.