A new Advanced Persistent Threat (APT) hacking group, named ‘Carderbee,’ has recently been identified engaging in cyberattacks against organizations primarily in Hong Kong and other parts of Asia. This group employs a unique approach by utilizing legitimate software, specifically Cobra DocGuard developed by the Chinese company EsafeNet, to compromise target computers with the PlugX malware.
The presence of PlugX malware, a known tool often used by Chinese state-backed threat groups, suggests a likely connection between Carderbee and the Chinese cyber threat landscape. The first traces of Carderbee’s activities were noticed by researchers in April 2023, but another report from September 2022 indicates that their operations might date back to September 2021. This suggests that the group might have been active for a longer period than initially observed.
The recent investigation reveals that Carderbee’s initial point of compromise involves a malicious update within the Cobra DocGuard software. Despite being installed on approximately 2,000 computers, malicious activity was only detected on around 100, suggesting a targeted approach focusing on high-value assets.
For the specifically targeted devices, Carderbee employs the Cobra DocGuard software updater to distribute various types of malware, including the PlugX malware. However, the exact method the group uses to execute this supply chain attack through the legitimate updater remains unclear.
The malware updates are delivered through a ZIP file downloaded from “cdn.stream-amazon[.]com/update.zip.” After decompression, the malware is executed through a file named “content.dll,” which acts as a downloader for the malicious payload. Interestingly, the PlugX downloader is signed with a certificate from Microsoft’s Windows Hardware Compatibility Publisher, making it harder to detect the malware.
The malicious DLL used by Carderbee includes drivers for both x64 and x86 architectures, allowing the creation of Windows services and registry entries that ensure the malware’s persistence on the compromised system. To avoid detection by antivirus software, PlugX is injected into the legitimate Windows system process “svchost.exe.”
The PlugX malware exhibited several capabilities in the attacks observed by Symantec, including command execution, file enumeration, monitoring running processes, file downloading, opening firewall ports, and keylogging.
Carderbee’s exact targeting focus is not fully clear. While there are indications of a potential connection to the ‘Budworm’ group, the extent of this relationship remains uncertain. The use of a supply chain attack, coupled with the use of signed malware, makes Carderbee a highly stealthy threat actor. Additionally, their strategic deployment of malware points to thorough preparation and reconnaissance before launching attacks.
“Software supply chain attacks remain a major issue for organizations in all sectors, with multiple high-profile supply chain attacks occurring in the last 12 months, including the MOVEit, X_Trader, and 3CX attacks.”, they conclude