Cybersecurity researchers unveiled the tactics of the China-linked BlackTech hacking group and their use of Deuterbear RAT, a remote access trojan, in a cyber espionage campaign targeting the Asia-Pacific region. BlackTech, active since 2007, has been known for deploying Waterbear malware, but recent campaigns have showcased an evolution to Deuterbear. This updated version uses a two-stage infection strategy where the first stage loads a downloader to connect to a command-and-control server, fetching the Deuterbear RAT for persistence with a second-stage loader through DLL side-loading
The first Waterbear RAT serves as a downloader while the second functions as a backdoor, enabling information theft through a set of 60 commands. The sophisticated infection pathway of Deuterbear not only establishes persistence by connecting to a C&C server but also effectively removes traces post-installation, making it challenging for threat researchers to analyze in simulated environments. Moreover, Deuterbear retains a subset of commands from Waterbear but incorporates more functionality through a plugin-based approach, marking a notable evolution in malware tactics. ```https://thehackernews.com/2024/05/china-linked-hackers-adopt-two-stage.html