The previously undocumented threat group has been linked to software supply chain attacks primarily targeting organizations based in Hong Kong and other regions of Asia.
The Symantec Threat Hunter team, part of Broadcom, is tracking the activity under its insect-themed alias Carderbee.
According to the cybersecurity firm, the attacks take advantage of a Trojan version of legitimate software called the EsafeNet Cobra DocGuard Client to deliver a known backdoor called PlugX (aka korPlug) onto victims’ networks.
“During this attack, the attackers used malware signed with a valid Microsoft certificate,” the company said in a report shared.
The use of Cobra DocGuard Client to pull off a supply chain attack was previously highlighted by ESET in its quarterly Threat Report this year, detailing a September 2022 intrusion in which an unnamed gambling company in Hong Kong was compromised via a malicious update pushed by the software .
The same company is said to have been infected earlier in September 2021 using the same technique. The attack, linked to a Chinese threat actor named Lucky Mouse (aka APT27, Budworm, or Emissary Panda), ultimately led to the deployment of PlugX.
However, the latest campaign spotted by Symantec in April 2023 exhibits too few similarities to link it to the same actor. Furthermore, the fact that PlugX is used by various hacking groups linked to China makes attribution difficult.
At least 100 computers in affected organizations are said to have been infected, although the Cobra DockGuard client application was installed on approximately 2,000 endpoints, suggesting a narrower focus.
“The malicious software was distributed on infected computers at the following location, which indicates that attackers compromised affected computers due to a supply chain attack or malicious configuration involving Cobra Dockguard: ‘csidl_system_drive\program files\esafenet\cobra docguard client \update,” Siamtec said.
In one instance, the breach served as a means to deploy a downloader with a digitally signed certificate from Microsoft, which was then used to retrieve and install PlugX from a remote server.
The modular implant gives attackers a covert backdoor on infected platforms so they can install additional payloads, execute commands, capture keystrokes, enumerate files and track running processes.
The findings highlight the continued use of Microsoft-signed malware by threat actors to conduct post-exploitation activities and bypass security protections.
Having said that, it is unclear where Carderby is located or what his ultimate goals are, and whether it has any connection to Lucky Mouse. Many other details about the group are unknown or unknown.
“It appears clear that the attackers behind this activity are a patient and skilled artist,” Symantec said. “They leverage both supply chain attacks and signed malware to carry out their activity in an effort to remain under the radar.”
“The fact that they deployed their payloads on only a small number of computers that they had access to, points to a certain amount of planning and reconnaissance on the part of the attackers behind this activity.”