Carderbee, a freshly discovered APT hacking group, has launched a string of supply chain assaults on businesses in Asia, including Hong Kong. The gang infected PCs with PlugX malware by using legal software, most notably Cobra DocGuard created by Chinese company EsafeNet for data encryption/decryption.
Chinese Suspicions: Carderbee’s PlugX Link Raises Eyebrows
The use of PlugX by Carderbee, a virus frequently linked to threat actors supported by the Chinese government, raises the possibility of ties to the Chinese online environment. Carderbee’s activities were discovered by Symantec in April 2023, while a September 2022 ESET research suggested that Carderbee’s operations may have started in September 2021.
By utilizing the DocGuard program, the attackers spread malicious software updates with a focus on high-value targets. The payload, which contains PlugX, is downloaded from the seemingly innocent URL “cdn.streamamazon[.]com/update.zip,” underscoring the deviousness of their tactic.
Notably, the virus known as PlugX is signed with a Microsoft certificate, which ups its level of sophistication and helps it avoid detection. This strategy fits into a trend that, as Microsoft highlighted in 2022, sees fraudsters using legal accounts and certificates for illicit reasons.
Carderbee is responsible for a variety of harmful actions, including command execution, keylogging, firewall manipulation, and file downloads. The exact goals and allegiances of the group are still unknown, including its alleged ties to the “Budworm” gang.
The supply chain assault used in this campaign to distribute signed malware highlights Carderbee’s cutting-edge strategies and highlights their meticulous planning and strategic research. Strong cybersecurity measures are required given the constantly changing nature of cyber threats in order to successfully combat such sly attackers.