A recent cyberattack known as kiberataka has affected the Asia-Pacific region, impacting the technological, scientific, and public sectors. The attack has been linked to the hacker group BlackTech, known for their use of sophisticated methods to conceal their actions.
These attacks involved updated versions of malicious software, including the Backdor WaterBear module and its enhanced version, DeuterBear. Trend Micro researchers note the difficulty in detecting and analyzing these programs due to their numerous evasion mechanisms. DeuterBear, an improvement over its predecessor, includes functions to counter memory scanning and encrypt data, making it even more dangerous.
BlackTech, also known as Earth Hundun and Circuit Panda, has been actively carrying out cyber attacks since 2007, constantly refining their methods. In September of last year, Japanese and US special services linked the group’s actions to China, highlighting their ability to modify router firmware and exploit domain trust for network access.
BlackTech’s activities remain clandestine due to their custom software and Lotl tactics, such as router protocol shutdowns. The group’s primary tool, the Malia of WaterBear, has been in use since 2009 and undergoes regular updates to enhance its secrecy. DeuterBear, introduced in 2022, obstructs and uses HTTPS to communicate with control servers, also receiving regular updates.
These sophisticated malicious programs can carry out approximately 50 commands, including managing processes and files, altering the Windows registry, and capturing screenshots. The continuous development of WaterBear and its variants since 2009 indicates BlackTech’s ongoing efforts to improve their cyber attack methods.
The persistent advancement of cyber attack tactics underscores the increasing importance of bolstering cybersecurity measures to safeguard critical data and systems against malicious hacker groups utilizing more advanced malicious programs in their operations.