Chinese APT Targets Hong Kong in Supply Chain Attack

Dubbed Carderbee, the group used legitimate software and Microsoft-signed malware to spread the Korplug/PlugX backdoor to various Asian targets.

An emerging China-backed advanced persistent threat (APT) group targeted organizations in Hong Kong in a supply chain attack that leveraged a legitimate software to deploy the PlugX/Korplug backdoor, researchers have found.
The group, which researchers have dubbed Carderbee, used a compromised version of Cobra DocGuard — an application for protecting, encrypting, and decrypting software produced by Chinese firm EsafeNet — to gain access to victims networks, the Symantec Threat Hunter Team revealed in
a blog post
published today.
During the attack, the group leveraged as its PlugX installer malware signed with another legitimate entity, a Microsoft certificate, in an abuse of Microsofts Windows Hardware Developer Program,
a vulnerability already known to the software vendor.
The use of the Microsoft Windows Hardware Compatibility Publisher certificate as part of the attack makes it more challenging for defenders, as malware signed with what appears to be a legitimate certificate can be much harder for security software to detect, notes Brigid OGorman, senior intelligence analyst at Broadcoms Symantec Threat Hunter Team.
In total, the researchers observed malicious activity on about 100 computers in impacted organizations, however, the Cobra DocGuard software was installed on about 2,000 computers. This indicates that the APT may be selectively pushing payloads to specific victims — a common tactic in supply chain attacks, OGorman says.
Typically, the compromised software is downloaded onto a large number of computers due to the nature of supply chain attacks, but further malicious activity may be only seen on a small percentage of compromised machines, she explains.
The attack is not the first time that threat actors have used Cobra DocGuard in a supply chain campaign, the researchers said. PlugX also is familiar malware; Chinese threat actors, including
BlackFly
and
MustangPanda,
already have wielded the remote access Trojan (RAT) in a number of attacks this year.
Recent attacks have also used a combination of Cobra DocGuard and PlugX similar to the one in the attack. In September, threat activity attributed to Budworm (aka LuckyMouse, APT27) used a malicious update to Cobra DocGuard to compromise a gambling company in Hong Kong, then deployed a new variant of Korplug/PlugX, according to
ESET
.
Indeed, while Carderbee shares similarities with other known
adversaries backed by China
, these links werent strong enough to definitively link this activity to a known group, OGorman says.
Crossover of TTPs and infrastructure among
threat actors
operating out of China isnt unusual, which can make attribution of attacks challenging, she says. Korplug is a backdoor that is known to be used by multiple APTs, not just Budworm, but also APT41 and others.
The researchers are also unsure of the attacks motive, though PlugX/Korplug is typically used in
cyber espionage attacks
, which themselves are typical of Chinese threat actors. However, with the information we have currently, we couldnt rule out other possible motivations, such as financial, OGorman adds.
The attack occurred over several months in which researchers observed the delivery of a malicious version of Cobra DocGuard to the following location on infected computers at victim organizations: csidl_system_driveprogram filesesafenetcobra docguard clientupdate. While most of the victims were based in Hong Kong, the rest were scattered around Asia.
Attackers delivered multiple distinct malware families via this method, including the downloader for PlugX/Korplug that had a
digitally signed certificate
from Microsoft.
The backdoor sample observed in the attack had various functions; it could execute commands via cmd, enumerate files, check running processes, download files, open firewall ports, and act as a keylogger.
Further, while the researchers know that a compromised version of Cobra DocGuard was used by the attackers to gain access to the victims networks, they dont know how the attackers gained access to the Cobra DocGuard client to use it in this manner, OGorman acknowledges.
Software supply chain attacks in general remain a major issue for organizations in all sectors, with several high-profile attacks occurring in the last 12 months, OGorman says. One of those is the Cl0p ransomware gang
MOVEit attack
, which exploits a flaw in an app from Progress Software that
has affected
numerous
customer environments
and even spurred multiple
class-action lawsuits
against the company.
Software supply chain attacks are a boon for attackers as they can allow them to infiltrate even well-guarded organizations if they are able to compromise the software of one of the organizations trusted partners, OGorman says.
To defend the supply chain, organizations should monitor the behavior of all activity on a system to help identify any unwanted patterns and allow them to block a suspicious application before any damage can be done, she says.
This is possible as the behavior of a malicious update will generally be different to that of the expected clean software, OGorman notes.
Organizations can also reduce their overall attack surface by implementing zero-trust policies and network segmentation, which can prevent a malicious update thats downloaded to one machine from spreading to the whole network, she says.
Software developers and providers also should take responsibility to secure the supply chain by ensuring they can detect unwanted changes in the software update process and on their website, OGorman adds.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Chinese APT Targets Hong Kong in Supply Chain Attack