12.20pm BST, 22 August 2023: Updated with additional IoCs
A previously unknown advanced persistent threat (APT) group used the legitimate Cobra DocGuard software to carry out a supply chain attack with the goal of deploying the Korplug backdoor (aka PlugX) onto victim computers.
In the course of this attack, the attackers used malware signed with a legitimate Microsoft certificate. Most of the victims in this campaign are based in Hong Kong, with some victims based in other regions of Asia.
Korplug is known to be used by multiple APT groups, but we could not link this activity to a known threat actor so we have given the actor behind this activity a new name — Carderbee.
Cobra DocGuard and Previous Activity
Cobra DocGuard Client is software produced by a China-based company called EsafeNet and appears to legitimately be used to protect, encrypt, and decrypt software. EsafeNet is owned by Chinese information security firm NSFOCUS.
According to a report from ESET, in September 2022, a malicious update to this software was used to compromise a gambling company in Hong Kong. The same gambling company had been compromised in September 2021 using the same technique by Budworm (aka LuckyMouse, APT27), which led ESET to attribute this September 2022 attack to Budworm too. In that attack, a new variant of the Korplug malware was also found. In that instance, it used the magic header “ESET”, indicating that it may have been modified to try to bypass ESET products.
A signed version of Korplug was also used in the activity investigated by the Symantec Threat Hunter Team, part of Broadcom. This activity began in April 2023. However, we did not find any other evidence to indicate that this attack was carried out by Budworm. Korplug is a backdoor that is known to be used by multiple APTs, including APT41 and Budworm. We do not have any indication of the industry sectors of the companies targeted in this recent activity, just their geographic location.
Accordingly, it was not possible to link this activity definitively to a known group, which is why we attributed it to a new group, Carderbee.
Malicious activity was seen on about 100 computers in impacted organizations; however, the Cobra DocGuard software was installed on around 2,000 computers, indicating that the attacker may be selectively pushing payloads to specific victims.
The malicious software was delivered to the following location on infected computers, which is what indicates that a supply chain attack or malicious configuration involving Cobra DocGuard is how the attackers compromised affected computers:
"csidl_system_drive\program files\esafenet\cobra docguard client\update"
Over a period of a few months in 2023, multiple distinct malware families were observed being deployed via this method. In one interesting case, a downloader deployed by the attackers had a digitally signed certificate from Microsoft, called Microsoft Windows Hardware Compatibility Publisher. This downloader was used to install the Korplug backdoor on targeted systems. The downloader attempted to download a file named update.zip from the following location: http://cdn.stream-amazon[.]com/update.zip.
The update.zip file is a zlib compressed archive file. It decompresses and executes a file named content.dll. This file is not saved on disk. It acts as a dropper and contains x64 and x86 drivers, which are dropped depending on the system environment. The dropper creates services and registry entries. The dropped drivers read encrypted data from the registry, decrypt it, and inject it into svchost.exe. The injected payload is the Korplug backdoor.
The Korplug sample downloaded here is able to:
- Execute commands via cmd
- Enumerate files
- Check running processes
- Download files
- Open firewall ports
- Act as a keylogger
Microsoft Certificate Abuse
Use of Microsoft-signed malware is a known problem. In December 2022, Mandiant noted a POORTRY driver sample signed with a Microsoft Windows Hardware Compatibility Authenticode signature. Most recently, in July 2023, Trend said that it had found a Microsoft-signed rootkit that appeared to have passed through the Windows Hardware Quality Labs (WHQL) process for getting a valid signature. Microsoft acknowledged the issue and said that drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) were being used maliciously in post-exploitation activity.
The company said it had investigated the issue and “determined that the activity was limited to the abuse of several developer program accounts and that no Microsoft account compromise has been identified.” Malware signed with what appears to be a legitimate certificate can make it much harder for security software to detect.
Supply Chain Attack and Certificate Abuse
It seems clear that the attackers behind this activity are patient and skilled actors. They leverage both a supply chain attack and signed malware to carry out their activity in an attempt to stay under the radar. The fact that they appear to only deploy their payload on a handful of the computers they gain access to also points to a certain amount of planning and reconnaissance on behalf of the attackers behind this activity. Software supply chain attacks remain a major issue for organizations in all sectors, with multiple high-profile supply chain attacks occurring in the last 12 months, including the MOVEit, X_Trader, and 3CX attacks.
Some unanswered questions remain about the activity of Carderbee, such as what sectors the group was targeting with this activity, and whether there are any links between Carderbee and other actors such as Budworm.
Symantec researchers will continue to track this activity, and we share indicators of compromise below so our colleagues in the security community can do so as well.
For the latest protection updates, please visit the Symantec Protection Bulletin.
Indicators of Compromise
If an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.
SHA256 file hashes:
Remote IP addresses:
We encourage you to share your thoughts on your favorite social platform.