A newly discovered advanced persistent threat (APT) actor has been observed deploying the PlugX backdoor via a supply chain attack, mainly targeting organizations in Hong Kong, Symantec reports.
Dubbed Carderbee, the adversary was seen abusing the legitimate Cobra DocGuard software, which helps users protect, encrypt, and decrypt applications. The tool is developed by EsafeNet, which is owned by Chinese information security firm NSFocus.
In September 2022, following a malicious update, Cobra DocGuard was abused in a supply chain attack targeting a gambling company in Hong Kong. The attack was attributed to APT27 (Budworm, LuckyMouse), which compromised the same company in September 2021.
Starting April 2023, Symantec has observed a signed version of the PlugX backdoor (also known as Korplug) being delivered in a Cobra DocGuard supply chain attack targeting organizations in Hong Kong and other parts of Asia, but could not link the activity to a known threat actor.
“Korplug is a backdoor that is known to be used by multiple APTs, including APT41 and Budworm. It was not possible to link this activity definitively to a known group, which is why we attributed it to a new group, Carderbee,” Symantec notes.
The security firm identified malicious activity on roughly 100 computers – out of approximately 2,000 running Cobra DocGuard – within the targeted organizations and observed multiple malware families being deployed using the same supply chain compromise attack.
“In one interesting case, a downloader deployed by the attackers had a digitally signed certificate from Microsoft, called Microsoft Windows Hardware Compatibility Publisher. This downloader was used to install the Korplug backdoor on targeted systems,” Symatec explains.
The downloader attempted to fetch a ZIP archive that would execute the PlugX backdoor in memory, allowing the attackers to execute commands, enumerate files and running processes, download files, open firewall ports, and log keystrokes.
According to Symantec, the activity was likely performed by “patient and skilled actors” that attempted to stay under the radar using both a supply chain attack and malware signed with a valid certificate.
“The fact that they appear to only deploy their payload on a handful of the computers they gain access to also points to a certain amount of planning and reconnaissance on behalf of the attackers behind this activity,” the cybersecurity firm notes.
Symantec has not linked Carderbee to any country, but attacks involving PlugX malware and ones aimed at Hong Kong are typically conducted by Chinese state-sponsored threat actors.