HQ/EMEAFind out how we can help your business
Carderbee APT, a previously unidentified hacking group, has targeted Hong Kong-based organisations with its new supply chain campaign. The researchers noticed that the group adopted authentic software to implant the PlugX malware into their targeted computers.
Recent observations also showed that the group targeted the neighbouring countries of Hong Kong.
Carderbee APT uses legitimate software in their campaigns.
The Carderbee APT group employs the legitimate software, Cobra DocGuard, in its supply chain campaign. A Chinese company developed this software as a security solution for data encryption and decryption tasks.
The Cobra DocGuard app is present on about 2,000 computers, but only a hundred of these devices display signs of malicious behaviour. This inconsistency implies that the threat actors are picky with their targets to compromise.
Further research also reveals that the APT group leveraged the legitimate software updater to push various malware strains, like PlugX. The downloader utilised for the PlugX includes a digital signature from MS Windows Hardware Compatibility Publisher. The signature could obfuscate the malware and make threat analysis more complex.
Separate research has reported these incidents in September last year. The report stated that the attackers used an illicit update of the DocGuard software to infect Hong Kong-based gambling organisations.
The researchers also noted that the same gambling company had fallen victim to a similar operation in 2021. The difference between the campaigns is that the researchers identified the Budworm group’s attackers. Hence, the analysts attributed the 2022 attack to the same cybercriminal gang.
Unfortunately, no substantial evidence could link the latest campaign to the Budworm group since the newest supply chain attacks have utilised the PlugX malware to infiltrate the targeted entities.
These details show that the attackers possess sophisticated skills and patience. They have combined supply chain exploitation and digitally signed malware to bypass security detection while operating their campaign.
Software supply chain attacks have continued to compromise numerous organisations in various industries globally. Experts suggest that every entity should fortify their supply chain security through vendor assessments and constant monitoring.
