Rewterz Threat Alert – Carderbee APT Group Utilizes Legitimate Software in Supply Chain Attack Targeting Organizations in Hong Kong – Active IOCs

Severity

High

Analysis Summary

A new Advanced Persistent Threat (APT) hacking group, named ‘Carderbee,’ has recently been identified engaging in cyberattacks against organizations primarily in Hong Kong and other parts of Asia. This group employs a unique approach by utilizing legitimate software, specifically Cobra DocGuard developed by the Chinese company EsafeNet, to compromise target computers with the PlugX malware.

The presence of PlugX malware, a known tool often used by Chinese state-backed threat groups, suggests a likely connection between Carderbee and the Chinese cyber threat landscape. The first traces of Carderbee’s activities were noticed by researchers in April 2023, but another report from September 2022 indicates that their operations might date back to September 2021. This suggests that the group might have been active for a longer period than initially observed.

The recent investigation reveals that Carderbee’s initial point of compromise involves a malicious update within the Cobra DocGuard software. Despite being installed on approximately 2,000 computers, malicious activity was only detected on around 100, suggesting a targeted approach focusing on high-value assets.

For the specifically targeted devices, Carderbee employs the Cobra DocGuard software updater to distribute various types of malware, including the PlugX malware. However, the exact method the group uses to execute this supply chain attack through the legitimate updater remains unclear.

The malware updates are delivered through a ZIP file downloaded from “cdn.stream-amazon[.]com/update.zip.” After decompression, the malware is executed through a file named “content.dll,” which acts as a downloader for the malicious payload. Interestingly, the PlugX downloader is signed with a certificate from Microsoft’s Windows Hardware Compatibility Publisher, making it harder to detect the malware.

The malicious DLL used by Carderbee includes drivers for both x64 and x86 architectures, allowing the creation of Windows services and registry entries that ensure the malware’s persistence on the compromised system. To avoid detection by antivirus software, PlugX is injected into the legitimate Windows system process “svchost.exe.”

The PlugX malware exhibited several capabilities in the attacks observed by Symantec, including command execution, file enumeration, monitoring running processes, file downloading, opening firewall ports, and keylogging.

Carderbee’s exact targeting focus is not fully clear. While there are indications of a potential connection to the ‘Budworm’ group, the extent of this relationship remains uncertain. The use of a supply chain attack, coupled with the use of signed malware, makes Carderbee a highly stealthy threat actor. Additionally, their strategic deployment of malware points to thorough preparation and reconnaissance before launching attacks.

“Software supply chain attacks remain a major issue for organizations in all sectors, with multiple high-profile supply chain attacks occurring in the last 12 months, including the MOVEit, X_Trader, and 3CX attacks.”, they conclude

Impact

• Information Theft and Espionage
• Reputational Damage

Indicators of Compromise

Domain Name

• cdn.stream-amazon.com
• cdn.ofo.ac
• gobay.info
• tjj.active-microsoft.com
• githubassets.akamaixed.net
• ms-g9-sites-prod-cdn.akamaixed.net
• ms-f7-sites-prod-cdn.akamaixed.net

MD5

• 85625c9cba2b18fed8a3971b709a94c2
• 954341609521cde45ce4f8e3db99f91b
• e191b8ac892c8a5b7e7e51335554d62a
• 5a122e86a8f134e42ebae8510404df3d
• 117c97ef49ae641ba988d95411ce7f92
• 648ea096099a8bf0c32d0a8ac04d4d68

SHA-256

• 96170614bbd02223dc79cec12afb6b11004c8edb8f3de91f78a6fc54d0844622
• 1ff7b55dde007b7909f43dd47692f7c171caa2897d663eb9db01001062b1fe9d
• 2400d8e66c652f4f8a13c99a5ffb67cb5c0510144b30e93122b1809b58614936
• 7e6d0f14302662f52e4379eb5b69a3749d8597e8f61266aeda74611258972a3d
• b5159f8ae16deda7aa5d55100a0eac6e5dacd1f6502689b543513a742353d1ea
• f64267decaa982c63185d92e028f52c31c036e85b2731a6e0bccdb8f7b646e97

SHA-1

• 38871fbd79a828bf610b79f8e46721a5cb04cad8
• fb0f69ac21dbc96ff57bb53977a1aa4b914be9c9
• 6243294326ab23f49542395b0513d1d4f4843c83
• a03782c1fa732ba7d829c3e5b852fcdc06a0bf5d
• 0bd01aa647fd21d7dd551a380e4ca3a0b52e6f2a
• bcaf97d5755cda7e1c48fda45df062144b39cc8b

IP

• 45.76.179.209
• 104.238.151.104

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain a rigorous software update and patch management process to ensure that all software and systems are up-to-date with the latest security fixes.
• Validate the authenticity and integrity of software updates by verifying digital signatures and using trusted sources.
• Implement a robust software supply chain security strategy.
• Regularly review and assess the security practices of suppliers and vendors to identify potential risks.
• Implement network segmentation to isolate critical systems from less secure parts of the network. This limits the lateral movement of attackers if they gain initial access.
• Enforce the principle of least privilege, granting users only the minimum permissions required to perform their tasks.
• Implement multi-factor authentication (MFA) for accessing sensitive systems and data.
• Deploy advanced threat detection solutions that use behavioral analysis and anomaly detection to identify unusual activities that may indicate a breach or compromise.
• Use next-generation endpoint protection tools that can detect and block suspicious activities on endpoints.
• Employ application whitelisting to prevent unauthorized applications from running on endpoints.
• Develop and regularly test an incident response plan that outlines steps to take in the event of a security breach.
• Educate employees about the dangers of phishing, social engineering, and other common attack vectors. Conduct cybersecurity training sessions.
• Monitor network traffic for unusual or unauthorized activity. Implement intrusion detection and prevention systems (IDS/IPS) to detect and block malicious traffic.
• Ensure that third-party vendors and suppliers follow secure coding practices and adhere to cybersecurity best practices.