Previously Unknown APT Uses Supply Chain Hack to Reach Victims
A previously unknown threat group orchestrated a supply chain attack using a Chinese encryption app to target victims mostly located in Hong Kong.
Researchers at Symantec said threat actors had weaponized Cobra DocGuard software to install a backdoor in approximately 2,000 systems. The researchers detected malicious activity in a subset of about 100 computers, suggesting the threat actors may be targeting specific victims.
The Cobra DocGuard encryption software is produced by EsafeNet, which is owned by Beijing-based NSFocus. Korplug, the backdoor incorporated into the encryption app, “is known to be used by multiple APT groups,” Symantec says. It’s also known as PlugX. For lack of a link to known threat groups, Symantec christened this group Carderbee.
This isn’t the first time Cobra DocGuard has been an avenue for hackers with an interest in East Asia – or the only time those same hackers have used Korplug. Cybersecurity company Eset in September 2022 detected the Chinese cyberespionage group LuckyMouse – also known as APT27, Iron Tiger and Emissary Panda – using a malicious update of the Cobra DocGuard software to plant a variant of the Korplug malware into the systems of a Hong Kong-based gambling company.
Security researchers from Mandiant more recently spotted a Chinese espionage threat group known as Temp.Hex distributing Korplug using USB drives (see: Breach Roundup: IT Worker Sentenced for Impersonation).
The Korplug version examined by Symantec acts as a keylogger and can enumerate files, check running processes, download files and open firewall ports. Symantec researchers spotted a malicious updater embedded into Cobra DocGuard that acted as a conduit for multiple distinct malware families. In one case, a downloader deployed by attackers had a digitally signed certificate from Microsoft, and attackers used it to install Korplug. The certificate specifically belonged to Microsoft’s Windows Hardware Compatibility Publisher. Microsoft in July warned that several hardware developer program accounts had abused the certificates for use in post-exploitation activity.
Symantec said it could not determine whether Carderbee had targeted specific sectors or organizations, but it said the group had carried out careful planning and reconnaissance before conducting attacks.