News
New Threat Cluster Linked to Software Supply Chain Attack in Asia
A previously undocumented threat cluster has been discovered in a software supply chain attack that primarily targets organizations in Hong Kong and other Asian regions. The activity, known as Carderbee, is being tracked by the Symantec Threat Hunter Team.
The attacks involve the use of a trojanized version of the legitimate software EsafeNet Cobra DocGuard Client to deliver the PlugX backdoor on victim networks. What makes this attack particularly concerning is that the malware is signed with a legitimate Microsoft certificate, making it harder to detect.
This is not the first time that the use of Cobra DocGuard Client in supply chain attacks has come to light. ESET previously reported on a September 2022 intrusion in which a Hong Kong gambling company was compromised by a malicious update pushed by the software. The same company fell victim to a similar attack in September 2021, indicating that it may be a target of choice for threat actors.
While the latest campaign discovered by Symantec in April 2023 shows similarities to previous attacks, it is difficult to attribute it conclusively to the same threat actor. The use of PlugX by multiple China-linked hacking groups further complicates attribution.
Around 100 computers in the targeted organizations are believed to have been infected, despite the Cobra DocGuard Client being installed on approximately 2,000 endpoints. This suggests that the attackers had a specific focus.
The implant deployed in the attack allows the threat actors to have a backdoor on infected platforms, enabling them to install additional payloads, execute commands, capture keystrokes, and more. It highlights the continued use of Microsoft-signed malware to bypass security protections.
Details about Carderbee and its ultimate goals, as well as its possible connections to the Lucky Mouse threat actor, remain undisclosed. However, Symantec notes that the attackers are patient and skilled, using supply chain attacks and signed malware to stay under the radar.
The discovery of this new threat cluster serves as a reminder of the importance of cybersecurity and the need for organizations to remain vigilant against supply chain attacks.
The post New Threat Cluster Linked to Software Supply Chain Attack in Asia appeared first on satProviders.