October 3, 2023

Researchers have discovered an unknown APT group attacking organizations in Asia, particularly Hong Kong, using commercial software to deploy backdoor malware.

The group dubbed as CarderBee uses Cobra DocGuard Client, a software package designed to allow users to access and manage their Consolidated Omnibus Budget Reconciliation Act documents to gain access to victim’s machines.

The Cobra DocGuard Client is said to have been designed by Chinese company EsafeNet. That’s where the story gets interesting. CarderBee uses PlugX, a malware family used by Chinese state-backed threat groups.

Advertisements

In this campaign, the APT is targeting the DocGuard software updater to deploy malware, including PlugX. The update arrives as a ZIP file from AWS. which, when decompressed, executes a file named “content.dll,” which downloads the malware.

The downloader used in the attacks includes a Microsoft Windows Hardware Compatibility Publisher digitally signed certificate, making it somewhat more difficult for antivirus and other security software to detect.

Researchers first spotted signs of Carderbee in April. This isn’t the first time Cobra DocGuard Client has been targeted. An ESET report in 2022 detailed that attack to Budworm, also known as LuckyMouse or APT 27, an allegedly Chinese-sponsored state actor.

The timing of the attack may not have been coincidental and has been suggested by some to be part of broader geopolitical tensions.

This research was documented by researchers from Symantec

Indicators of Compromise

  • 96170614bbd02223dc79cec12afb6b11004c8edb8f3de91f78a6fc54d0844622
  • 19a6a404605be964ab87905d59402e2890460709a1d9038c66b3fbeedc1a2343
  • 1ff7b55dde007b7909f43dd47692f7c171caa2897d663eb9db01001062b1fe9d
  • 2400d8e66c652f4f8a13c99a5ffb67cb5c0510144b30e93122b1809b58614936
  • 2f714aaf9e3e3e03e8168fe5e22ba6d8c1b04cbfa3d37ff389e9f1568a80cad4
  • 47b660bbaacb2a602640b5e2c589a3adc620a0bfc9f0ecfb8d813a803d7b75e2
  • 5467e163621698b38c2ba82372bac110cea4121d7c1cec096958a4d9eaa44be7
  • 7e6d0f14302662f52e4379eb5b69a3749d8597e8f61266aeda74611258972a3d
  • 85fc7628c5c7190f25da7a2c7ee16fc2ad581e1b0b07ba4ac33cff4c6e94c8af
  • 8bd40da84c8fa5f6f8e058ae7e36e1023aca1b9a9c8379704934a077080da76f
  • 8ca135b2f4df6a714b56c1a47ac5baa80a11c6a4fcc1d84a047d77da1628f53f
  • 9e96f70ce312f2638a99cfbd3820e85798c0103c7dc06fe0182523e3bf1e2805
  • 9fc49d9f4b922112c2bafe3f1181de6540d94f901b823e11c008f6d1b2de218c
  • b5159f8ae16deda7aa5d55100a0eac6e5dacd1f6502689b543513a742353d1ea
  • b7b8ea25786f8e82aabe4a4385c6142d9afe03f090d1433d0dc6d4d6ccc27510
  • b84f68ab098ce43f9cb363d0a20a2267e7130078d3d2d8408bfb32bbca95ca37
  • f64267decaa982c63185d92e028f52c31c036e85b2731a6e0bccdb8f7b646e97
  • 45.76.179[.]209
  • 104.238.151[.]104
  • http://111.231.100[.]228:8888/CDGServer3/UpgradeService2
  • http://103.151.28[.]11:8090/CDGServer3/UpgradeService2
  • cdn.stream-amazon[.]com
  • cdn.ofo[.]ac
  • gobay[.]info
  • tjj.active-microsoft[.]com
  • githubassets.akamaixed[.]net
  • ms-g9-sites-prod-cdn.akamaixed[.]net 
  • ms-f7-sites-prod-cdn.akamaixed[.]net
Tags:

Leave a Reply

You may have missed

Industrial Control Systems and Vulnerability Management Process

October 2, 2023

McLaren Healthcare suffers a Ransomware Incident

October 2, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – September, 2023

October 2, 2023

TheCyberThrone Security Week In Review – September 30, 2023

October 1, 2023

Mozilla fixes CVE-2023-5217 Vulnerability in its Products

September 30, 2023

CISA KEV Update Part III – September 2023

September 30, 2023
%d bloggers like this: