A previously undocumented Chinese threat actor called “Carderbee” has been linked to a supply chain attack targeting organizations in Hong Kong and other regions in Asia.
According to a new report from the Symantec Threat Hunter Team, part of Broadcom, the campaign involved the group deploying the Korplug backdoor (also known as PlugX) on victim systems via a Chinese legitimate security software named Cobra DocGuard.
In September 2022, ESET reported that a malicious Cobra DocGuard update was used to hack a gambling company in Hong Kong. The same company had been breached in September 2021 using the same technique by Budworm (aka LuckyMouse, APT27), which led ESET to attribute this September 2022 attack to Budworm too. That attack also involved a new variant of the Korplug malware. The backdoor is known to have been previously used by multiple China-linked threat actors, including APT41.
The more recent campaign discovered by Symantec began in April 2023, with malicious activity observed on nearly 100 machines in impacted organizations. However, the Cobra DocGuard software was installed on around 2,000 computers, indicating that the attacker may be selectively targeting specific victims.
Symantec says that they observed threat actors deploying multiple distinct malware families. In one case, a downloader deployed by the group had a digitally signed certificate from Microsoft (“Microsoft Windows Hardware Compatibility Publisher”).
“It seems clear that the attackers behind this activity are patient and skilled actors. They leverage both a supply chain attack and signed malware to carry out their activity in an attempt to stay under the radar. The fact that they appear to only deploy their payload on a handful of the computers they gain access to also points to a certain amount of planning and reconnaissance on behalf of the attackers behind this activity,” the researchers concluded.