Carderbee, an unknown hacker group, has deployed the notorious Korplug backdoor, also known as PlugX, onto targeted computers in Hong Kong and a few other Asian regions.
Cybersecurity researchers from Symantec’s Threat Hunter Team discovered the previously unknown advanced persistent threat (APT) actor that has been orchestrating a sophisticated supply chain attack, utilising legitimate software and a Microsoft-signed certificate.
What makes this attack particularly alarming is the APT group’s utilisation of legitimate Cobra DocGuard software, developed by China-based company EsafeNet, to infiltrate victims’ systems. Cobra DocGuard is designed for software protection, encryption, and decryption.
Carderbee’s modus operandi includes compromising the Cobra DocGuard software’s update mechanism, allowing the attackers to embed malicious payloads into the software’s updates. Once installed on around 2,000 computers, the attacker selectively pushed payloads to specific victims, which are only 100 in number, indicating a high level of precision and strategic targeting. This approach potentially allowed the group to maintain a low profile and evade detection for an extended period.
A significant aspect of this attack is the use of a digitally signed certificate from Microsoft. The attackers employed a downloader with a Microsoft Windows Hardware Compatibility Publisher certificate to install the Korplug backdoor into targeted systems. This downloader fetched a file named ‘update.zip’ from a seemingly legitimate source. The ‘update.zip’ file, a zlib compressed archive, contained a dropper that injected the Korplug backdoor into the victim’s system, enabling a range of malicious activities, including command execution, file enumeration, and keylogging.
The Korplug sample analysed by Symantec can:
- Execute commands via the command prompt.
- Easily enumerate files.
- Perform a check on the running processes.
- Download files
- Access firewall ports.
- Act as a keylogger.
The use of Microsoft-signed malware has been flagged as a growing concern in the cybersecurity landscape. Microsoft acknowledged that several developer program accounts were exploited to sign the malware, thereby making it significantly harder for security software to detect.
The supply chain attack and the use of legitimate certificates underscore the increasingly sophisticated techniques adopted by cybercriminals to infiltrate systems and remain undetected.
While the Carderbee group showcase operational agility, numerous questions remain unanswered. Researchers are still uncertain about the targeted sectors and any potential links between Carderbee and other threat actors, like Budworm. Security experts are actively monitoring the situation and sharing indicators of compromise to help the security community track and mitigate potential threats.