A newly discovered advanced persistent threat (APT) actor has been observed deploying the PlugX backdoor via a supply chain attack, mainly targeting organizations in Hong Kong, Symantec reports.
Dubbed Carderbee, the adversary was seen abusing the legitimate Cobra DocGuard software, which helps users protect, encrypt, and decrypt applications. The tool is developed by EsafeNet, which is owned by Chinese information security firm NSFocus.
In September 2022, following a malicious update, Cobra DocGuard was abused in a supply chain attack targeting a gambling company in Hong Kong. The attack was attributed to APT27 (Budworm, LuckyMouse), which compromised the same company in September 2021.
Starting April 2023, Symantec has observed a signed version of the PlugX backdoor (also known as Korplug) being delivered in a Cobra DocGuard supply chain attack targeting organizations in Hong Kong and other parts of Asia, but could not link the activity to a known threat actor.
“Korplug is a backdoor that is known to be used by multiple APTs, including APT41 and Budworm. It was not possible to link this activity definitively to a known group, which is why we attributed it to a new group, Carderbee,” Symantec notes.
The security firm identified malicious activity on roughly 100 computers – out of approximately 2,000 running Cobra DocGuard – within the targeted organizations and observed multiple malware families being deployed using the same supply chain compromise attack.
“In one interesting case, a downloader deployed by the attackers had a digitally signed certificate from Microsoft, called Microsoft Windows Hardware Compatibility Publisher. This downloader was used to install the Korplug backdoor on targeted systems,” Symatec explains.
The downloader attempted to fetch a ZIP archive that would execute the PlugX backdoor in memory, allowing the attackers to execute commands, enumerate files and running processes, download files, open firewall ports, and log keystrokes.
According to Symantec, the activity was likely performed by “patient and skilled actors” that attempted to stay under the radar using both a supply chain attack and malware signed with a valid certificate.
“The fact that they appear to only deploy their payload on a handful of the computers they gain access to also points to a certain amount of planning and reconnaissance on behalf of the attackers behind this activity,” the cybersecurity firm notes.
Symantec has not linked Carderbee to any country, but attacks involving PlugX malware and ones aimed at Hong Kong are typically conducted by Chinese state-sponsored threat actors.
Related: Cascading Supply Chain Attack: 3CX Hacked After Employee Downloaded Trojanized App
Related: PyPI Users Targeted With ‘Wacatac’ Trojan in New Supply Chain Attack
Related: Iranian Hackers Deliver New ‘Fantasy’ Wiper to Diamond Industry via Supply Chain Attack
More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
