A previously undetected APT hacking group called Carderbee, has been detected engaging in cyberattacks on entities located in Hong Kong and neighboring Asian regions. The group employed authentic software to implant the PlugX malware into the targeted computers.
Diving into details
According to findings from Symantec, the legitimate software exploited in this supply chain attack is known as Cobra DocGuard. This software is developed by the Chinese company EsafeNet and is commonly utilized in security solutions for tasks such as data encryption and decryption.
- Cobra DocGuard was present on approximately 2,000 computers. However, out of these, only about 100 exhibited signs of malicious behavior. This discrepancy suggests that the attackers were selectively targeting high-value entities for further compromise.
- Carderbee leveraged the DocGuard software updater to introduce various strains of malware, among them PlugX.
- The downloader used for the PlugX malware bore a digital signature from Microsoft Windows Hardware Compatibility Publisher. This specific signature complicates the detection of the malware, adding an additional layer of challenge for identification.
Attribution
As per an ESET report dated September 2022, an illicit update of the DocGuard software was employed to compromise a Hong Kong-based gambling establishment.
- Remarkably, this same gambling company had fallen victim to a similar technique in September 2021, executed by the Budworm group, aka LuckyMouse or APT27. This history led ESET to ascribe the September 2022 assault to Budworm as well.
- During this incident, a new version of the PlugX malware was also spotted. It featured the distinct header "ESET," hinting at potential alterations aimed at evading ESET's protective products.
- However, there was insufficient evidence to definitively link this latest supply chain attack to the Budworm group.
The bottom line
The adversaries evidently possess considerable expertise and patience. Employing a combination of supply chain exploitation and digitally signed malware, they have been evading detection while conducting the campaign. Software supply chain attacks continue to pose a significant challenge for organizations across various industries. Strengthening supply chain security through thorough vendor assessments and continuous monitoring is essential.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/9509_shutterstock_1339130870.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/a299_shutterstock_2189729351.jpg)
