Malicious Software Updates

A previously undocumented threat cluster has been linked to a software supply chain attack targeting organizations primarily located in Hong Kong and other regions in Asia.

The Symantec Threat Hunter Team, part of Broadcom, is tracking the activity under its insect-themed moniker Carderbee.

The attacks, per the cybersecurity firm, leverage a trojanized version of a legitimate software called EsafeNet Cobra DocGuard Client to deliver a known backdoor known as PlugX (aka Korplug) on victim networks.

"In the course of this attack, the attackers used malware signed with a legitimate Microsoft certificate," the company said in a report shared with The Hacker News.


The use of Cobra DocGuard Client to pull off a supply chain attack was previously highlighted by ESET in its quarterly APT Activity Report this year, detailing a September 2022 intrusion in which an unnamed gambling company in Hong Kong was compromised via a malicious update pushed by the software.

The company is said to have been infected before in September 2021 using the same technique. The attack, linked to a Chinese threat actor named Lucky Mouse (aka APT27, Budworm, or Emissary Panda), ultimately led to the deployment of PlugX.

Despite these commonalities, the latest campaign spotted by Symantec in April 2023 lacks conclusive evidence to tie it to the aforementioned actor. Furthermore, the fact that PlugX is shared by a variety of China-linked hacking groups makes attribution difficult.

As many as 100 computers in the impacted organizations are said to have been infected, although the Cobra DocGuard Client application was installed on roughly 2,000 endpoints, suggesting a focus on high-value targets. The exact method used to conduct the supply chain attack is not known at this stage.

"The malicious software was delivered to the following location on infected computers, which is what indicates that a supply chain attack or malicious configuration involving Cobra DocGuard is how the attackers compromised affected computers: 'csidl_system_drive\program files\esafenet\cobra docguard client\update,'" Syamtec said.


In one instance, the breach functioned as a conduit to deploy a downloader with a digitally signed certificate from Microsoft, which subsequently was used to retrieve and install PlugX from a remote server.

The modular implant gives attackers a secret backdoor on infected platforms so they can go on to install additional payloads, execute commands, capture keystrokes, enumerate files, and track running processes, among others.

The findings shed light on the continued use of Microsoft-signed malware by threat actors to conduct post-exploitation activities and bypass security protections.

That having said, it's unclear where Carderbee is based or what its ultimate goals are, and if it has any connections to Lucky Mouse. Many other details about the group remain undisclosed or unknown. But the use of PlugX hints at a Chinese connection.

"It seems clear that the attackers behind this activity are patient and skilled actors," Symantec said. "They leverage both a supply chain attack and signed malware to carry out their activity in an attempt to stay under the radar."

"The fact that they appear to only deploy their payload on a handful of the computers they gain access to also points to a certain amount of planning and reconnaissance on behalf of the attackers behind this activity."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.