Newly Discovered APT Group 'Carderbee' Strikes Hong Kong and Asia with PlugX Malware via Legitimate Cobra DocGuard Software, Suggesting Chinese State Links

Continue reading
In a constantly evolving realm of threat landscape, a newly discovered threat group named 'Carderbee,' has emerged, focusing its malevolent intentions on organizations in Hong Kong and across Asian regions.
This formidable group employs cunning tactics, utilizing legitimate software to infiltrate their target's systems with the notorious PlugX malware. What's particularly intriguing is the potential connection between Carderbee and the Chinese state, as they appear to be well-versed in utilizing state-affiliated tools. In this Threat Research, we will analyze Carderbee's malicious operations, unveiling their tactics and potential Chinese state affiliations.
It was initially detected as a sign of Carderbee's activity in April 2023. However, the report suggests that the threat actor's operations may date back to September 2021. The linchpin of their approach is a supply chain attack, leveraging the unsuspecting Cobra DocGuard software, crafted by Chinese developer EsafeNet, and typically used for data encryption and decryption in security applications.
Cobra DocGuard Client, developed by EsafeNet, seemingly serves a dual purpose: safeguarding data through encryption and decryption while being manipulated by Carderbee for nefarious activities. This duality underscores the complexity of supply chain attacks, where seemingly legitimate software becomes a vector for cyber threats.
While the Cobra DocGuard software was installed on approximately 2,000 computers, malicious activity was observed on only 100 of them. This selectiveness indicates that Carderbee meticulously chooses high-value targets, highlighting their precision in victim selection.
The precise mechanics of how Carderbee conducts this supply chain attack using the legitimate Cobra DocGuard updater remain shrouded in mystery. Their operation involves delivering updates in the form of a ZIP file retrieved from _"cdn.streamamazon[.]com/update.zip."_ Upon decompression, this ZIP file executes _"content.dll,"_ a cunningly disguised malware downloader.
One aspect that amplifies the challenge of detecting Carderbee's activities is the downloader's digital signature. It proudly bears the seal of Microsoft, specifically the Microsoft Windows Hardware Compatibility Publisher. This deceptive use of a legitimate certificate showcases the group's sophistication in evading security measures.
Carderbee's malevolent DLL not only acts as a downloader but also contains x64 and x86 drivers. These drivers are strategically employed to establish Windows services and registry entries, ensuring persistence on compromised systems.
To further obfuscate their actions, Carderbee injects the PlugX malware into the legitimate 'svchost.exe' (Service Host) Windows system process. This clever maneuver allows them to evade detection by traditional antivirus systems.
Once PlugX infiltrates a system, it deploys a range of capabilities:
While Carderbee's operations are similar to the 'Budworm' group, the extent of their relationship remains uncertain. Carderbee's exact targeting scope also remains shrouded in ambiguity. The group's discretion and selectivity in deploying malware suggest meticulous planning and reconnaissance.
Carderbee's approach combines two potent elements: supply chain attacks and digitally signed malware. This fusion renders their activities exceptionally stealthy and hard to detect. Their careful deployment of malware further underscores their high level of preparation and reconnaissance.
Carderbee threat group serves as a stark reminder of the sophistication and adaptability of malicious actors. As organizations grapple with the escalating threats posed by supply chain attacks and digitally signed malware, vigilance and robust security measures are imperative. The pursuit of answers regarding Carderbee's motives and affiliations continues, leaving the cybersecurity community on high alert.
For those in the cybersecurity community, the following indicators of compromise (IOCs) are crucial for identifying and mitigating Carderbee's threat:
45.76.179[.]209 104.238.151[.]104
http://111.231.100[.]228:8888/CDGServer3/UpgradeService2 http://103.151.28[.]11:8090/CDGServer3/UpgradeService2
cdn.stream-amazon[.]com cdn.ofo[.]ac gobay[.]info tjj.active-microsoft[.]com githubassets.akamaixed[.]net ms-g9-sites-prod-cdn.akamaixed[.]net ms-f7-sites-prod-cdn.akamaixed[.]net