CarderBee hacking group targets organizations in Asia
An unknown advanced persistent threat group has been observed attacking organizations in Asia, particularly Hong Kong, using commercial software to deploy “backdoor” malware.
Dubbed “CarderBee” by researchers at Symantec, the hacking group uses Cobra DocGuard Client, a software package designed to allow users to access and manage their Consolidated Omnibus Budget Reconciliation Act documents to gain access to victim’s machines.
The Cobra DocGuard Client is said to have been designed by Chinese company EsafeNet. That’s where the story gets interesting. According to the researchers, CarderBee uses PlugX, a malware family used by Chinese state-backed threat groups — so Chinese-designed software is being compromised by Chinese state-sponsored actors.
PlugX was previously in the news last year when a report from Proofpoint Inc. noted that a Chinese state-sponsored actor used the software in one of three campaigns. The campaign involved an APT initially using tracking pixels in benign emails to identify potential targets for future spear-phishing attacks before later sending malicious emails.
In the case of the CarderBee campaign, the APT is targeting the DocGuard software updater to deploy malware, including PlugX. The update arrives as a ZIP file from Amazon Web Services Inc. which, when decompressed, executes a file named “content.dll,” which downloads the malware.
The downloader used in the attacks includes a Microsoft Windows Hardware Compatibility Publisher digitally signed certificate, making it somewhat more difficult for antivirus and other security software to detect.
Though the Symantec researchers first spotted signs of Carderbee in April, this isn’t the first time Cobra DocGuard Client has been targeted. An ESET s.r.o. report in 2022 detailed how the same software was targeted to hack a gambling company. The ESET report attributed that attack to Budworm, also known as LuckyMouse or APT 27, an allegedly Chinese-sponsored state actor.
The timing of the attack may not have been coincidental and has been suggested by some to be part of broader geopolitical tensions.
“This campaign coincides with the summit at Camp David last weekend between the leaders of Japan, South Korea and the U.S.,” Tom Kellermann, senior vice president of cyber strategy at cybersecurity company Contrast Security Inc., told SiliconANGLE. “The Chinese have ramped up systemic cyberattacks against the U.S.”
Kellermann added that “the director of CISA recently testified and expressed her concern with an escalation of Chinese attacks against critical infrastructure due to geopolitical tension. Microsoft is being used to island hop into government and other critical infrastructure. I am very concerned that this will escalate to include integrity attacks.”
Image: Bing Image Creator
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU