Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-text-to-speech domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-bookmark-follow domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the soledad domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-paywall domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-frontend-submission domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114
Carderbee Attack: Hong Kong organizations targeted via malicious software update – HacksByte

Carderbee Attack: Hong Kong organizations targeted via malicious software update

The previously undocumented threat group has been linked to software supply chain attacks primarily targeting organizations based in Hong Kong and other regions of Asia.

The Symantec Threat Hunter team, part of Broadcom, is tracking the activity under its insect-themed alias Carderbee.

According to the cybersecurity firm, the attacks take advantage of a Trojan version of legitimate software called the EsafeNet Cobra DocGuard Client to deliver a known backdoor called PlugX (aka korPlug) onto victims’ networks.

“During this attack, the attackers used malware signed with a valid Microsoft certificate,” the company said in a report shared.

The use of Cobra DocGuard Client to pull off a supply chain attack was previously highlighted by ESET in its quarterly Threat Report this year, detailing a September 2022 intrusion in which an unnamed gambling company in Hong Kong was compromised via a malicious update pushed by the software .

The same company is said to have been infected earlier in September 2021 using the same technique. The attack, linked to a Chinese threat actor named Lucky Mouse (aka APT27, Budworm, or Emissary Panda), ultimately led to the deployment of PlugX.

However, the latest campaign spotted by Symantec in April 2023 exhibits too few similarities to link it to the same actor. Furthermore, the fact that PlugX is used by various hacking groups linked to China makes attribution difficult.

At least 100 computers in affected organizations are said to have been infected, although the Cobra DockGuard client application was installed on approximately 2,000 endpoints, suggesting a narrower focus.

“The malicious software was distributed on infected computers at the following location, which indicates that attackers compromised affected computers due to a supply chain attack or malicious configuration involving Cobra Dockguard: ‘csidl_system_drive\program files\esafenet\cobra docguard client \update,” Siamtec said.

In one instance, the breach served as a means to deploy a downloader with a digitally signed certificate from Microsoft, which was then used to retrieve and install PlugX from a remote server.

The modular implant gives attackers a covert backdoor on infected platforms so they can install additional payloads, execute commands, capture keystrokes, enumerate files and track running processes.

The findings highlight the continued use of Microsoft-signed malware by threat actors to conduct post-exploitation activities and bypass security protections.

Having said that, it is unclear where Carderby is located or what his ultimate goals are, and whether it has any connection to Lucky Mouse. Many other details about the group are unknown or unknown.

“It appears clear that the attackers behind this activity are a patient and skilled artist,” Symantec said. “They leverage both supply chain attacks and signed malware to carry out their activity in an effort to remain under the radar.”

“The fact that they deployed their payloads on only a small number of computers that they had access to, points to a certain amount of planning and reconnaissance on the part of the attackers behind this activity.”

Related posts

Microsoft CEO Satya Nadella dreams of a world where India and every person on the planet is empowered by AI

Chinese hackers exploited FortiGate Flaw to break the Dutch Military Network

Russian Coldriver hackers are moving beyond phishing with custom malware

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More