New APT Group Launches Supply Chain Campaign

Written by

A newly discovered APT group has been spotted using commercial software to deploy backdoor malware to targeted victims in Hong Kong and elsewhere in Asia.

Symantec revealed in a new report today that although use of the Korplug backdoor has been traced in the past to multiple groups, it could not link the current activity to any known entity.

It named the new actor “Carderbee” and claimed it is using legitimate Cobra DocGuard Client software developed by Chinese firm EsafeNet to get the backdoor onto victims’ machines.

The developer, owned by cybersecurity firm NSFOCUS, has had its software used maliciously in the past. ESET claimed in September last year that a malicious update of the same Cobra DocGuard Client was used to compromise a gambling firm in Hong Kong.

Read more on software supply chain campaigns: US Spy Agencies Investigate Kaseya Supply Chain Attack

“Malicious activity was seen on about 100 computers in impacted organizations; however, the Cobra DocGuard software was installed on around 2,000 computers, indicating that the attacker may be selectively pushing payloads to specific victims,” said Symantec of the newly discovered campaign.

“Over a period of a few months in 2023, multiple distinct malware families were observed being deployed via this method.”

In one of these cases, a downloader deployed by the group was found to feature a digitally signed certificate from Microsoft: Microsoft Windows Hardware Compatibility Publisher. That downloader was subsequently used to deploy Korplug, Symantec said.

The backdoor malware can be used to execute commands, enumerate files, check running processes, download files, open firewall ports and act as a keylogger, suggesting the intent here is cyber-espionage.

However, it’s unclear what sector(s) Carderbee is targeting with this campaign, or whether there are links between itself and other groups.

Last week, SentinelLabs revealed a new Chinese espionage campaign targeting Asian gambling companies, which it suspects is the work of the Bronze Starlight group.

What’s hot on Infosecurity Magazine?