An unknown advanced persistent threat group has been observed attacking organizations in Asia, particularly Hong Kong, using commercial software to deploy “backdoor” malware.

Dubbed “CarderBee” by researchers at Symantec, the hacking group uses Cobra DocGuard Client, a software package designed to allow users to access and manage their Consolidated Omnibus Budget Reconciliation Act documents to gain access to victim’s machines.

The Cobra DocGuard Client is said to have been designed by Chinese company EsafeNet. That’s where the story gets interesting. According to the researchers, CarderBee uses PlugX, a malware family used by Chinese state-backed threat groups — so Chinese-designed software is being compromised by Chinese state-sponsored actors.

PlugX was previously in the news last year when a report from Proofpoint Inc. noted that a Chinese state-sponsored actor used the software in one of three campaigns. The campaign involved an APT initially using tracking pixels in benign emails to identify potential targets for future spear-phishing attacks before later sending malicious emails.

In the case of the CarderBee campaign, the APT is targeting the DocGuard software updater to deploy malware, including PlugX. The update arrives as a ZIP file from Amazon Web Services Inc. which, when decompressed, executes a file named “content.dll,” which downloads the malware.

The downloader used in the attacks includes a Microsoft Windows Hardware Compatibility Publisher digitally signed certificate, making it somewhat more difficult for antivirus and other security software to detect.

Though the Symantec researchers first spotted signs of Carderbee in April, this isn’t the first time Cobra DocGuard Client has been targeted. An ESET s.r.o. report in 2022 detailed how the same software was targeted to hack a gambling company. The ESET report attributed that attack to Budworm, also known as LuckyMouse or APT 27, an allegedly Chinese-sponsored state actor.

The timing of the attack may not have been coincidental and has been suggested by some to be part of broader geopolitical tensions.

“This campaign coincides with the summit at Camp David last weekend between the leaders of Japan, South Korea and the U.S.,” Tom Kellermann, senior vice president of cyber strategy at cybersecurity company Contrast Security Inc., told SiliconANGLE. “The Chinese have ramped up systemic cyberattacks against the U.S.”

Kellermann added that “the director of CISA recently testified and expressed her concern with an escalation of Chinese attacks against critical infrastructure due to geopolitical tension. Microsoft is being used to island hop into government and other critical infrastructure. I am very concerned that this will escalate to include integrity attacks.”

Image: Bing Image Creator