A previously unidentified APT hacking group named ‘Carderbee’ was observed attacking organizations in Hong Kong and other regions in Asia, using legitimate software to infect targets’ computers with the PlugX malware.
Symantec reports that the legitimate software used in the supply chain attack is Cobra DocGuard, created by Chinese developer’ EsafeNet,’ and used in security applications for data encryption/decryption.
The fact that Carderbee uses PlugX, a malware family widely shared among Chinese state-backed threat groups, indicates that this novel group is likely linked to the Chinese threat ecosystem.
A supply chain attack
Symantec’s researchers spotted the first signs of Carderbee activity in April 2023. However, an ESET report from September 2022 highlights a malicious update in Cobra DocGuard being used as the initial compromise point, so the threat actor’s activity might date back to September 2021.
Symantec said they saw the Cobra DocGuard software installed on 2,000 computers but only observed malicious activity in 100, indicating that the threat actors only further compromised high-value targets.
For those targeted devices, Carderbee used the DocGuard software updater to deploy a range of malware strains, including PlugX. However, it remains unclear how the threat actors were able to conduct the supply chain attack using the legitimate updater.
The updates arrive in the form of a ZIP file fetched from “cdn.streamamazon[.]com/update.zip,” which is decompressed to execute “content.dll,” which acts as a malware downloader.
Interestingly, the downloader for PlugX malware is digitally signed using a certificate from Microsoft, specifically Microsoft Windows Hardware Compatibility Publisher, making detecting the malware more challenging.
Microsoft disclosed in December 2022 that hackers abused Microsoft hardware developer accounts to sign malicious Windows drivers and post-compromise rootkits.
The malicious DLL pushed by Carderbee also contains x64 and x86 drivers, used to create the Windows services and registry entries required for persistence.
Eventually, PlugX is injected into the legitimate ‘svchost.exe’ (Service Host) Windows system process to evade AV detection.
The PlugX sample seen by Symantec in these attacks features the following capabilities:
- Command execution via CMD
- File enumeration
- Checking running processes
- File downloading
- Firewall ports opening
Symantec says Carderbee’s exact targeting scope remains murky. While links to the ‘Budworm’ group are likely based on the collected evidence, the extent of their relationship remains unclear.
The use of a supply chain attack and signed malware makes this new threat very stealthy, and the selective deployment of malware indicates high-level preparation and reconnaissance.