On August 22, 2023, security researchers at Symantec’s Threat Hunter Team identified a previously unknown advanced persistent threat (APT) group using Cobra DocGuard to deliver a backdoor to victim devices via the Korplug/PlugX malware. Carderbee used a known issue with Microsoft’s Windows Hardware Developer Program (MWHDP) to deploy the attack, one that Microsoft responded to with its August 8, 2023 Security Update. 

While attackers targeted the Cobra DocGuard application rather than a code repository, understanding how Carderbee used a known issue in Windows drivers can help you identify potential threats to your application. 

Who is Carderbee?

Carderbee is a previously unidentified Chinese threat actor targeting Hong Kong organizations. The group shares similarities with other known China-backed adversaries because it uses both Cobra DocGuard (CDG) and Korplug/PlugX in its attack. However, experts note that they were unable to clearly link Carderbee to the previously known APTs. 

Similarly, researchers can’t define Carderbee’s motive. While attackers have used Korplug/PlugX for cyber espionage, Carderbee could be financially motivated. Further, Carderbee appears to deploy the malware selectively, indicating reconnaissance to target devices or users specifically. 

What is Cobra DocGuard? 

Cobra DocGuard (CDG) is a document security management system sold by the Chinese company EsafeNet. It focuses on data classification, encryption, and access control that combines hardware and software, appearing similar to a server or hard drive. 

Deploying the Malware

Since September 2022, several attacks have leveraged CDG. In this attack, the researchers detected malicious activity on 100 of the 2,000 computers with CDG installed. 

The attackers delivered the malware through the CDG software updater. When organizations updated the CDG hardware and software, decompressing the zipped file executed a DLL that dropped x64 or x86 drivers, depending on the system environment. The drivers then:

  • Read encrypted registry data
  • Decrypted data
  • Inject the PlugX/Korplug backdoor into the svchost.exe

Use of Microsoft Certificates 

In July 2023, Microsoft learned that attackers were using MWHDP certified drivers in post-exploitation activities. After reports from several security research companies, Microsoft investigated the issue, finding that several developer accounts were submitting malicious drivers to obtain a Microsoft signature. 

Microsoft suspended all malicious accounts, and released Windows Security Updates to untrust drivers and driver signing certificates for the impacted files. Microsoft also provided blocking detections to help customers protect against the potential threats. 

Carderbee appears to have leveraged a similar issue to insert itself into the software supply chain through:

  • Malicious x64 and x86 drivers Windows services and registry entries that enable persistence
  • Injecting PlugX/Korplug into a legitimate Windows systems process to evade detection
  • Downloader’s digital signature using a Microsoft Windows Hardware Compatibility Publisher certificate

Lessons Learned

This sophisticated software supply chain attack highlights the importance of reviewing code, even regularly scheduled updates, prior to pushing them live. Carderbee’s attack exists at the code level, but it doesn’t seek to leverage third-party repositories. It buries the malicious code inside a legitimate-looking, well-known third-party software. In many ways, this attack extends the “trust no one” mentality from systems all the way down to code. 

With Qwiet AI’s pre-Zero platform, all code scans take place in your environment, making them quicker while also providing more accurate detections. Our preZero platform enables you to use a combination of known vulnerabilities, heuristic detections, and guided AI so that you can prioritize your most critical vulnerabilities. By integrating the preZero Platform into your existing CI/CD pipelines, ticketing systems, and development tools, ensuring that you can focus on writing code while still implementing robust software security. 

Take our preZero platform for a free spin or contact us today to see how Qwiet AI can help you secure your applications against threats.


About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.


See for yourself – run a scan on your code right now