Security News > 2023 > August > Carderbee hacking group hits Hong Kong orgs in supply chain attack
A previously unidentified APT hacking group named 'Carderbee' was observed attacking organizations in Hong Kong and other regions in Asia, using legitimate software to infect targets' computers with the PlugX malware.
Symantec reports that the legitimate software used in the supply chain attack is Cobra DocGuard, created by Chinese developer' EsafeNet,' and used in security applications for data encryption/decryption.
The fact that Carderbee uses PlugX, a malware family widely shared among Chinese state-backed threat groups, indicates that this novel group is likely linked to the Chinese threat ecosystem.
For those targeted devices, Carderbee used the DocGuard software updater to deploy a range of malware strains, including PlugX. However, it remains unclear how the threat actors were able to conduct the supply chain attack using the legitimate updater.
Interestingly, the downloader for PlugX malware is digitally signed using a certificate from Microsoft, specifically Microsoft Windows Hardware Compatibility Publisher, making detecting the malware more challenging.
The use of a supply chain attack and signed malware makes this new threat very stealthy, and the selective deployment of malware indicates high-level preparation and reconnaissance.
News URL
Related news
- LottieFiles hit in npm supply chain attack targeting users' crypto (source)
- LottieFiles hacked in supply chain attack to steal users’ crypto (source)
- LottieFiles supply chain attack exposes users to malicious crypto wallet drainer (source)
- Blue Yonder ransomware attack disrupts grocery store supply chain (source)
- OpenWrt orders router firmware updates after supply chain attack scare (source)
- Update your OpenWrt router! Security issue made supply chain attack possible (source)
- US sanctions Chinese firm for hacking firewalls in ransomware attacks (source)
- Ultralytics Supply-Chain Attack (source)
- 390,000 WordPress accounts stolen from hackers in supply chain attack (source)
- Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack (source)