An emerging China-backed advanced persistent threat (APT) group targeted organizations in Hong Kong in a supply chain attack that leveraged a legitimate software to deploy the PlugX/Korplug backdoor, researchers have found.
The group, which researchers have dubbed Carderbee, used a compromised version of Cobra DocGuard — an application for protecting, encrypting, and decrypting software produced by Chinese firm EsafeNet — to gain access to victims’ networks, the Symantec Threat Hunter Team revealed in a blog post published today.
During the attack, the group leveraged as its PlugX installer malware signed with another legitimate entity, a Microsoft certificate, in an abuse of Microsoft’s Windows Hardware Developer Program, a vulnerability already known to the software vendor.
The use of the Microsoft Windows Hardware Compatibility Publisher certificate as part of the attack makes it more challenging for defenders, “as malware signed with what appears to be a legitimate certificate can be much harder for security software to detect,” notes Brigid O’Gorman, senior intelligence analyst at Broadcom’s Symantec Threat Hunter Team.
In total, the researchers observed malicious activity on about 100 computers in impacted organizations, however, the Cobra DocGuard software was installed on about 2,000 computers. This indicates that the APT may be selectively pushing payloads to specific victims — a common tactic in supply chain attacks, O’Gorman says.
“Typically, the compromised software is downloaded onto a large number of computers due to the nature of supply chain attacks, but further malicious activity may be only seen on a small percentage of compromised machines,” she explains.
As-Yet Identified Threat Actor
The attack is not the first time that threat actors have used Cobra DocGuard in a supply chain campaign, the researchers said. PlugX also is familiar malware; Chinese threat actors, including BlackFly and MustangPanda, already have wielded the remote access Trojan (RAT) in a number of attacks this year.
Recent attacks have also used a combination of Cobra DocGuard and PlugX similar to the one in the attack. In September, threat activity attributed to Budworm (aka LuckyMouse, APT27) used a malicious update to Cobra DocGuard to compromise a gambling company in Hong Kong, then deployed a new variant of Korplug/PlugX, according to ESET.
Indeed, while Carderbee shares similarities with other known adversaries backed by China, “these links weren’t strong enough to definitively link this activity to a known group,” O’Gorman says.
“Crossover of TTPs and infrastructure among threat actors operating out of China isn’t unusual, which can make attribution of attacks challenging,” she says. “Korplug is a backdoor that is known to be used by multiple APTs, not just Budworm, but also APT41 and others.”
The researchers are also unsure of the attack’s motive, though PlugX/Korplug is typically used in cyber espionage attacks, which themselves are typical of Chinese threat actors. “However, with the information we have currently, we couldn’t rule out other possible motivations, such as financial,” O’Gorman adds.
Attack Chain
The attack occurred over several months in which researchers observed the delivery of a malicious version of Cobra DocGuard to the following location on infected computers at victim organizations: “csidl_system_drive\program files\esafenet\cobra docguard client\update.” While most of the victims were based in Hong Kong, the rest were scattered around Asia.
Attackers delivered multiple distinct malware families via this method, including the downloader for PlugX/Korplug that had a digitally signed certificate from Microsoft.
The backdoor sample observed in the attack had various functions; it could execute commands via cmd, enumerate files, check running processes, download files, open firewall ports, and act as a keylogger.
Further, while the researchers know that a compromised version of Cobra DocGuard was used by the attackers to gain access to the victims’ networks, they don’t know “how the attackers gained access to the Cobra DocGuard client to use it in this manner,” O’Gorman acknowledges.
Defending the Supply Chain
Software supply chain attacks in general remain a major issue for organizations in all sectors, with several high-profile attacks occurring in the last 12 months, O’Gorman says. One of those is the Cl0p ransomware gang MOVEit attack, which exploits a flaw in an app from Progress Software that has affected numerous customer environments and even spurred multiple class-action lawsuits against the company.
“Software supply chain attacks are a boon for attackers as they can allow them to infiltrate even well-guarded organizations if they are able to compromise the software of one of the organizations’ trusted partners,” O’Gorman says.
To defend the supply chain, organizations should monitor the behavior of all activity on a system to help identify any unwanted patterns and allow them to block a suspicious application before any damage can be done, she says.
“This is possible as the behavior of a malicious update will generally be different to that of the expected clean software,” O’Gorman notes.
Organizations can also reduce their overall attack surface by implementing zero-trust policies and network segmentation, which can prevent a malicious update that’s downloaded to one machine from spreading to the whole network, she says.
Software developers and providers also should take responsibility to secure the supply chain by ensuring they can detect unwanted changes in the software update process and on their website, O’Gorman adds.