Carderbee Hacking Group Hits Hong Kong Orgs in Supply Chain Attack

Cyber Security Threat Summary:
An undisclosed Advanced Persistent Threat (APT) hacking collective known as 'Carderbee' has been detected launching assaults on various institutions situated in Hong Kong and other parts of Asia. This group employs authentic software to infiltrate victims' machines with the PlugX malware. According to findings from Symantec, the legitimate software involved in this supply chain breach is Cobra DocGuard, designed by the Chinese developer 'EsafeNet.' This software is typically employed in security applications for tasks like data encryption and decryption. The use of the PlugX malware, which has been associated with Chinese state-backed threat factions, suggests a probable connection between Carderbee and the Chinese cyber threat landscape. Initial indications of Caderbee’s operations were identified by researchers at Symantec in April of 2023. Nevertheless, an ESET report issued in September 2022 draws attention to a malevolent update within Cobra DocGaurd that served as the initial point of compromise. Consequently, it’s plausible that the activities of this threat actor could extend as far back as September 2021.

“Symantec said they saw the Cobra DocGuard software installed on 2,000 computers but only observed malicious activity in 100, indicating that the threat actors only further compromised high-value targets. For those targeted devices, Carderbee used the DocGuard software updater to deploy a range of malware strains, including PlugX. However, it remains unclear how the threat actors were able to conduct the supply chain attack using the legitimate updater. The updates arrive in the form of a ZIP file fetched from "cdn[.]streamamazon[.]com/update[.]zip," which is decompressed to execute "content[.]dll," which acts as a malware downloader. Interestingly, the downloader for PlugX malware is digitally signed using a certificate from Microsoft, specifically Microsoft Windows Hardware Compatibility Publisher, making detecting the malware more challenging” (BleepingComputer, 2023).

Security Officer Comments:
In December 2022, Microsoft revealed that hackers misused Microsoft hardware developer accounts to sign malicious Windows drivers and distribute post-compromise rootkits. The malevolent DLL released by Caderbee includes x64 and x86 drivers for establishing Windows services and necessary registry entries for persistence. Subsequently, PlugX is injected into the authentic ‘svchost[.]exe’ Windows system process to avoid antivirus detection. The PlugX variant witnessed in these assaults showcases a range of capabilities, including command execution, file enumeration, process monitoring, file downloading, opening firewall ports, and keylogging. According to Symantec, Caderbee’s specific targets remain unclear, although potential connections to the Budworm group exist based on evidence. However, the nature of their relationship remains uncertain.

Suggested Correction(s):

    Organizations can make APT groups’ lives more difficult. Here’s how:
  • Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
  • Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
  • Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
  • Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.