Hong Kong
Image: Patricia Lazaro via Pexels

Legitimate software tainted in attacks on Hong Kong organizations, report says

Hackers were able to abuse legitimate software during a suspected supply chain attack targeting about 100 computers used by organizations in Hong Kong and other regions of Asia.

The experts behind the research — from the Symantec Threat Hunter Team — were unable to tie the campaign to any known advanced persistent threat (APT) group but noted that each attack sought to place the Korplug backdoor onto victim computers.

Korplug and its predecessor PlugX are used by a wide variety of state-sponsored hackers based in China, but Symantec gave this group a new name, Carderbee, because the researchers “could not link this activity to a known threat actor.”

The group “used the legitimate Cobra DocGuard software to carry out a supply chain attack,” the researchers explained, and the deployed malware was “signed with a legitimate Microsoft certificate” — a technique that helps hackers avoid detection.

Cobra DocGuard Client is intended to protect, encrypt and decrypt software. It is produced by a China-based company called EsafeNet, which itself is owned by Chinese information security firm NSFOCUS.

The Carderbee campaign began in April 2023 and was focused on a select group of Cobra DocGuard software customers at a handful of organizations, Symantec said. At the impacted organizations, the Cobra DocGuard software was installed on around 2,000 computers but malicious activity was found on only 100 devices.

The researchers said this is evidence that the attackers behind the campaign were selective in their targeting.

Supply-chain suspicions

The location of the malicious software — on a folder centered around updating the Cobra DocGuard software — was also an indication that this was a supply chain attack, the researchers explained.

“Over a period of a few months in 2023, multiple distinct malware families were observed being deployed via this method,” they said. “In one interesting case, a downloader deployed by the attackers had a digitally signed certificate from Microsoft, called Microsoft Windows Hardware Compatibility Publisher. This downloader was used to install the Korplug backdoor on targeted systems.”

The Korplug sample found on victim devices allowed the hackers to execute commands, organize and download files, track the keys pressed, open firewall ports and check other device processes.

The report on the campaign notes that hackers previously targeted a Hong Kong-based gambling company with a malicious update to Cobra DocGuard software two separate times in 2021 and 2022.

Those attacks were conducted by APT27, the label for a notorious Chinese cyber-espionage group responsible for incidents involving a U.S. state legislature and the government of a country in the Middle East; several German companies, multiple Southeast Asian telecom companies and more. Symantec said there was no evidence from the latest campaign tying it to APT27 or other Chinese hacking groups.

Symantec noted that the campaign highlights the persistent problem of illicit Microsoft signatures , which make it more difficult for security software to root out malware. They cited several recent incidents over the last year, including one identified by Mandiant in December 2022 and another last month involving the abuse of drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP).

“It seems clear that the attackers behind this activity are patient and skilled actors. They leverage both a supply chain attack and signed malware to carry out their activity in an attempt to stay under the radar,” the researchers said.

“The fact that they appear to only deploy their payload on a handful of the computers they gain access to also points to a certain amount of planning and reconnaissance on behalf of the attackers behind this activity. Software supply chain attacks remain a major issue for organizations in all sectors, with multiple high-profile supply chain attacks occurring in the last 12 months, including the MOVEit, X_Trader, and 3CX attacks.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.