Security News > 2024 > May > China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT
Interestingly, the RAT module is fetched twice from the attacker-controlled infrastructure, the first of which is just used to load the Waterbear plugin that subsequently launches a different version of the Waterbear downloader to retrieve the RAT module from another C&C server.
Put differently, the first Waterbear RAT serves as a downloader while the second Waterbear RAT functions as a backdoor, harvesting sensitive information from the compromised host through a set of 60 commands.
The infection pathway for Deuterbear is a lot similar to that of Waterbear in that it also implements two stages to install the RAT backdoor component, but also tweaks it to some extent.
The first stage, in this case, employs the loader to launch a downloader, which connects to the C&C server to fetch Deuterbear RAT in order to establish persistence by means of a second-stage loader via DLL side-loading.
Deuterbear RAT is also a more streamlined version of its predecessor, retaining only a subset of the commands in favor of a plugin-based approach to incorporate more functionality.
"SugarGh0st RAT is a remote access trojan, and is a customized variant of Gh0st RAT, an older commodity trojan typically used by Chinese-speaking threat actors," the company said.
News URL
https://thehackernews.com/2024/05/china-linked-hackers-adopt-two-stage.html
Related news
- Muddling Meerkat hackers manipulate DNS using China’s Great Firewall (source)
- China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices (source)
- China-Linked Hackers Used ROOTROT Webshell in MITRE Network Intrusion (source)
- FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT (source)
- Researchers Warn of Chinese-Aligned Hackers Targeting South China Sea Countries (source)
- Andariel Hackers Target South Korean Institutes with New Dora RAT Malware (source)
- China-Backed Hackers Exploit Fortinet Flaw, Infecting 20,000 Systems Globally (source)
- China-Linked Hackers Infiltrate East Asian Firm for 3 Years Using F5 Devices (source)