On August 22, 2023, security researchers at Symantec’s Threat Hunter Team identified a previously unknown advanced persistent threat (APT) group using Cobra DocGuard to deliver a backdoor to victim devices via the Korplug/PlugX malware. Carderbee used a known issue with Microsoft’s Windows Hardware Developer Program (MWHDP) to deploy the attack, one that Microsoft responded to with its August 8, 2023 Security Update.
While attackers targeted the Cobra DocGuard application rather than a code repository, understanding how Carderbee used a known issue in Windows drivers can help you identify potential threats to your application.
Who is Carderbee?
Carderbee is a previously unidentified Chinese threat actor targeting Hong Kong organizations. The group shares similarities with other known China-backed adversaries because it uses both Cobra DocGuard (CDG) and Korplug/PlugX in its attack. However, experts note that they were unable to clearly link Carderbee to the previously known APTs.
Similarly, researchers can’t define Carderbee’s motive. While attackers have used Korplug/PlugX for cyber espionage, Carderbee could be financially motivated. Further, Carderbee appears to deploy the malware selectively, indicating reconnaissance to target devices or users specifically.
What is Cobra DocGuard?
Cobra DocGuard (CDG) is a document security management system sold by the Chinese company EsafeNet. It focuses on data classification, encryption, and access control that combines hardware and software, appearing similar to a server or hard drive.
Deploying the Malware
Since September 2022, several attacks have leveraged CDG. In this attack, the researchers detected malicious activity on 100 of the 2,000 computers with CDG installed.
The attackers delivered the malware through the CDG software updater. When organizations updated the CDG hardware and software, decompressing the zipped file executed a DLL that dropped x64 or x86 drivers, depending on the system environment. The drivers then:
- Read encrypted registry data
- Decrypted data
- Inject the PlugX/Korplug backdoor into the svchost.exe
Use of Microsoft Certificates
In July 2023, Microsoft learned that attackers were using MWHDP certified drivers in post-exploitation activities. After reports from several security research companies, Microsoft investigated the issue, finding that several developer accounts were submitting malicious drivers to obtain a Microsoft signature.
Microsoft suspended all malicious accounts, and released Windows Security Updates to untrust drivers and driver signing certificates for the impacted files. Microsoft also provided blocking detections to help customers protect against the potential threats.
Carderbee appears to have leveraged a similar issue to insert itself into the software supply chain through:
- Malicious x64 and x86 drivers Windows services and registry entries that enable persistence
- Injecting PlugX/Korplug into a legitimate Windows systems process to evade detection
- Downloader’s digital signature using a Microsoft Windows Hardware Compatibility Publisher certificate
This sophisticated software supply chain attack highlights the importance of reviewing code, even regularly scheduled updates, prior to pushing them live. Carderbee’s attack exists at the code level, but it doesn’t seek to leverage third-party repositories. It buries the malicious code inside a legitimate-looking, well-known third-party software. In many ways, this attack extends the “trust no one” mentality from systems all the way down to code.
With Qwiet AI’s pre-Zero platform, all code scans take place in your environment, making them quicker while also providing more accurate detections. Our preZero platform enables you to use a combination of known vulnerabilities, heuristic detections, and guided AI so that you can prioritize your most critical vulnerabilities. By integrating the preZero Platform into your existing CI/CD pipelines, ticketing systems, and development tools, ensuring that you can focus on writing code while still implementing robust software security.