Chief Scientist Emeritus Fabian Yamaguchi and foundational Code Property Graph technology recognized with IEEE Test of Time Award

On August 22, 2023, security researchers at Symantec’s Threat Hunter Team identified a previously unknown advanced persistent threat (APT) group using Cobra DocGuard to deliver a backdoor to victim devices via the Korplug/PlugX malware. Carderbee used a known issue with Microsoft’s Windows Hardware Developer Program (MWHDP) to deploy the attack, one that Microsoft responded to with its August 8, 2023 Security Update. 

While attackers targeted the Cobra DocGuard application rather than a code repository, understanding how Carderbee used a known issue in Windows drivers can help you identify potential threats to your application. 

Who is Carderbee?

Carderbee is a previously unidentified Chinese threat actor targeting Hong Kong organizations. The group shares similarities with other known China-backed adversaries because it uses both Cobra DocGuard (CDG) and Korplug/PlugX in its attack. However, experts note that they were unable to clearly link Carderbee to the previously known APTs. 

Similarly, researchers can’t define Carderbee’s motive. While attackers have used Korplug/PlugX for cyber espionage, Carderbee could be financially motivated. Further, Carderbee appears to deploy the malware selectively, indicating reconnaissance to target devices or users specifically. 

What is Cobra DocGuard? 

Cobra DocGuard (CDG) is a document security management system sold by the Chinese company EsafeNet. It focuses on data classification, encryption, and access control that combines hardware and software, appearing similar to a server or hard drive. 

Deploying the Malware

Since September 2022, several attacks have leveraged CDG. In this attack, the researchers detected malicious activity on 100 of the 2,000 computers with CDG installed. 

The attackers delivered the malware through the CDG software updater. When organizations updated the CDG hardware and software, decompressing the zipped file executed a DLL that dropped x64 or x86 drivers, depending on the system environment. The drivers then:

  • Read encrypted registry data
  • Decrypted data
  • Inject the PlugX/Korplug backdoor into the svchost.exe

Use of Microsoft Certificates 

In July 2023, Microsoft learned that attackers were using MWHDP certified drivers in post-exploitation activities. After reports from several security research companies, Microsoft investigated the issue, finding that several developer accounts were submitting malicious drivers to obtain a Microsoft signature. 

Microsoft suspended all malicious accounts, and released Windows Security Updates to untrust drivers and driver signing certificates for the impacted files. Microsoft also provided blocking detections to help customers protect against the potential threats. 

Carderbee appears to have leveraged a similar issue to insert itself into the software supply chain through:

  • Malicious x64 and x86 drivers Windows services and registry entries that enable persistence
  • Injecting PlugX/Korplug into a legitimate Windows systems process to evade detection
  • Downloader’s digital signature using a Microsoft Windows Hardware Compatibility Publisher certificate

Lessons Learned

This sophisticated software supply chain attack highlights the importance of reviewing code, even regularly scheduled updates, prior to pushing them live. Carderbee’s attack exists at the code level, but it doesn’t seek to leverage third-party repositories. It buries the malicious code inside a legitimate-looking, well-known third-party software. In many ways, this attack extends the “trust no one” mentality from systems all the way down to code. 

With Qwiet AI’s pre-Zero platform, all code scans take place in your environment, making them quicker while also providing more accurate detections. Our preZero platform enables you to use a combination of known vulnerabilities, heuristic detections, and guided AI so that you can prioritize your most critical vulnerabilities. By integrating the preZero Platform into your existing CI/CD pipelines, ticketing systems, and development tools, ensuring that you can focus on writing code while still implementing robust software security. 

Take our preZero platform for a free spin or contact us today to see how Qwiet AI can help you secure your applications against threats.

 

About Qwiet AI

Qwiet AI empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, Qwiet AI scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, Qwiet AI then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use Qwiet AI ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, Qwiet AI is based in Santa Clara, California. For information, visit: https://qwiet.ai

Share

Read Next

AppSec DevOps
January 30, 2024 4 min to read

Handling Session Management in Web Applications

Back in 1893, the Lizzie Borden murders, where the Massachusetts woman was accused of killing both her parents with an ax, captivated the public and news media. Eventually found not guilty, one fundamental question perplexed police officers and the jury. Every door inside the Borden house had its own lock and corresponding key, an attempt […]

READ MORE
AppSec Cybersecurity Cybersecurity for Developers
January 16, 2024 4 min to read

Paying Off Your Loans: Technical Debt and Security Debt i...

Whether it’s school or car loans, you know that paying off your debt makes your life easier. It can improve your credit score, giving you more financial security. As a developer, you may also suffer from technical debt that impacts your application’s security. In a world where time to delivery is critical, you may make […]

READ MORE
AppSec Cybersecurity Cybersecurity for Developers DevOps Engineering
January 11, 2024 4 min to read

Understanding and Implementing HTTPS Strict Transport Sec...

Introduction Within the cascading bytes and bits of digital communications, developers forge pathways of data, threading information through the vast expanse of the internet. However, threats lurking within these pathways seek to intercept, manipulate, and exploit this data. This article ventures into HTTPS and Strict Transport Security (HSTS), offering developers a guide to comprehend, implement, […]

READ MORE

Read Next

Cybersecurity
November 22, 2021 5 min to read

Getting to Know Compliance in Software Development

On March 21, the Biden administration directed US companies to "harden your cyber defenses immediately." With these new federal guidelines for application security, the White House urged software developers to deploy "modern tools that can detect known and potential vulnerabilities" in their custom and open-source software (OSS). Learn more about how ShiftLeft can help.

READ MORE
Cybersecurity
March 15, 2022 7 min to read

Secure Software Summit: The State of OSS Supply Chain Sec...

  The Open Source Software (OSS) Supply Chain is under attack. As evidenced by the recent Log4Shell vulnerability, the OSS supply chain is increasingly a focus for attackers seeking to exploit weak links in security. A number of research reports have recorded a significant increase in so-called “next-gen software supply chain attacks” over the past […]

READ MORE
Cybersecurity
December 20, 2021 6 min to read

5 Application Security Standards You Should Know

It shouldn’t be surprising that application security has become more important over the last few years. As part of the move to the cloud, applications have become the foundation of business operations. Today, more companies use more applications to do more things than ever before. SaaS applications transmit, store, and process large amounts of sensitive […]

READ MORE
Subscribe to newsletter
Privacy Policy Terms of Service © 2024 Qwiet. All rights reserved
Services
Company
Platform
Resources
Log In