October 3, 2023

Researchers have discovered an unknown APT group attacking organizations in Asia, particularly Hong Kong, using commercial software to deploy backdoor malware.

The group dubbed as CarderBee uses Cobra DocGuard Client, a software package designed to allow users to access and manage their Consolidated Omnibus Budget Reconciliation Act documents to gain access to victim’s machines.

The Cobra DocGuard Client is said to have been designed by Chinese company EsafeNet. That’s where the story gets interesting. CarderBee uses PlugX, a malware family used by Chinese state-backed threat groups.


In this campaign, the APT is targeting the DocGuard software updater to deploy malware, including PlugX. The update arrives as a ZIP file from AWS. which, when decompressed, executes a file named “content.dll,” which downloads the malware.

The downloader used in the attacks includes a Microsoft Windows Hardware Compatibility Publisher digitally signed certificate, making it somewhat more difficult for antivirus and other security software to detect.

Researchers first spotted signs of Carderbee in April. This isn’t the first time Cobra DocGuard Client has been targeted. An ESET report in 2022 detailed that attack to Budworm, also known as LuckyMouse or APT 27, an allegedly Chinese-sponsored state actor.

The timing of the attack may not have been coincidental and has been suggested by some to be part of broader geopolitical tensions.

This research was documented by researchers from Symantec

Indicators of Compromise

  • 96170614bbd02223dc79cec12afb6b11004c8edb8f3de91f78a6fc54d0844622
  • 19a6a404605be964ab87905d59402e2890460709a1d9038c66b3fbeedc1a2343
  • 1ff7b55dde007b7909f43dd47692f7c171caa2897d663eb9db01001062b1fe9d
  • 2400d8e66c652f4f8a13c99a5ffb67cb5c0510144b30e93122b1809b58614936
  • 2f714aaf9e3e3e03e8168fe5e22ba6d8c1b04cbfa3d37ff389e9f1568a80cad4
  • 47b660bbaacb2a602640b5e2c589a3adc620a0bfc9f0ecfb8d813a803d7b75e2
  • 5467e163621698b38c2ba82372bac110cea4121d7c1cec096958a4d9eaa44be7
  • 7e6d0f14302662f52e4379eb5b69a3749d8597e8f61266aeda74611258972a3d
  • 85fc7628c5c7190f25da7a2c7ee16fc2ad581e1b0b07ba4ac33cff4c6e94c8af
  • 8bd40da84c8fa5f6f8e058ae7e36e1023aca1b9a9c8379704934a077080da76f
  • 8ca135b2f4df6a714b56c1a47ac5baa80a11c6a4fcc1d84a047d77da1628f53f
  • 9e96f70ce312f2638a99cfbd3820e85798c0103c7dc06fe0182523e3bf1e2805
  • 9fc49d9f4b922112c2bafe3f1181de6540d94f901b823e11c008f6d1b2de218c
  • b5159f8ae16deda7aa5d55100a0eac6e5dacd1f6502689b543513a742353d1ea
  • b7b8ea25786f8e82aabe4a4385c6142d9afe03f090d1433d0dc6d4d6ccc27510
  • b84f68ab098ce43f9cb363d0a20a2267e7130078d3d2d8408bfb32bbca95ca37
  • f64267decaa982c63185d92e028f52c31c036e85b2731a6e0bccdb8f7b646e97
  • 45.76.179[.]209
  • 104.238.151[.]104
  • http://111.231.100[.]228:8888/CDGServer3/UpgradeService2
  • http://103.151.28[.]11:8090/CDGServer3/UpgradeService2
  • cdn.stream-amazon[.]com
  • cdn.ofo[.]ac
  • gobay[.]info
  • tjj.active-microsoft[.]com
  • githubassets.akamaixed[.]net
  • ms-g9-sites-prod-cdn.akamaixed[.]net 
  • ms-f7-sites-prod-cdn.akamaixed[.]net

Leave a Reply

%d bloggers like this: