Security News > 2023 > August > Carderbee hacking group hits Hong Kong orgs in supply chain attack
A previously unidentified APT hacking group named 'Carderbee' was observed attacking organizations in Hong Kong and other regions in Asia, using legitimate software to infect targets' computers with the PlugX malware.
Symantec reports that the legitimate software used in the supply chain attack is Cobra DocGuard, created by Chinese developer' EsafeNet,' and used in security applications for data encryption/decryption.
The fact that Carderbee uses PlugX, a malware family widely shared among Chinese state-backed threat groups, indicates that this novel group is likely linked to the Chinese threat ecosystem.
For those targeted devices, Carderbee used the DocGuard software updater to deploy a range of malware strains, including PlugX. However, it remains unclear how the threat actors were able to conduct the supply chain attack using the legitimate updater.
Interestingly, the downloader for PlugX malware is digitally signed using a certificate from Microsoft, specifically Microsoft Windows Hardware Compatibility Publisher, making detecting the malware more challenging.
The use of a supply chain attack and signed malware makes this new threat very stealthy, and the selective deployment of malware indicates high-level preparation and reconnaissance.
News URL
Related news
- Ripple's xrpl.js npm Package Backdoored to Steal Private Keys in Major Supply Chain Attack (source)
- Ripple NPM supply chain attack hunts for private keys (source)
- Magento supply chain attack compromises hundreds of e-stores (source)
- Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack (source)
- Supply chain attack hits npm package with 45,000 weekly downloads (source)
- RVTools hit in supply chain attack to deliver Bumblebee malware (source)
- DragonForce ransomware abuses SimpleHelp in MSP supply chain attack (source)