Every software supply chain attack, in which hackers corrupt a legitimate application to push out their malware to hundreds or potentially thousands of victims, represents a disturbing new outbreak of a cybersecurity scourge. But when that supply chain attack is pulled off by a mysterious group of hackers, abusing a Microsoft trusted software model to make their malware pose as legitimate, it represents a dangerous and potentially new adversary worth watching.
Today, researchers on the Threat Hunter Team at Broadcom-owned security firm Symantec revealed that they'd detected a supply chain attack carried out by a hacker group that they've newly named CarderBee. According to Symantec, the hackers hijacked the software updates of a piece of Chinese-origin security software known as Cobra DocGuard, injecting their own malware to target about 100 computers across Asia, mostly in Hong Kong. Though some clues, like the exploitation of DocGuard and other malicious code they installed on victim machines, loosely link CarderBee with previous Chinese state-sponsored hacking operations, Symantec declined to identify CarderBee as any previously known group, suggesting it may be a new team.
Beyond the usual disturbing breach of trust in legitimate software that occurs in every software supply chain, Symantec says, the hackers also managed to get their malicious code—a backdoor known as Korplug or PlugX and commonly used by Chinese hackers—digitally signed by Microsoft. The signature, which Microsoft typically uses to designate trusted code, made the malware far harder to detect.
“Any time we see a software supply chain attack, it’s somewhat interesting. But in terms of sophistication, this is a cut above the rest,” says Dick O'Brien, a principal intelligence analyst on Symantec's research team. “This one has the hallmarks of an operator who knows what they’re doing.”
Cobra DocGuard, which is ironically marketed as security software for encrypting and protecting files based on a system of users' privileges inside an organization, has around 2,000 users, according to Symantec. So the fact that the hackers chose just 100 or so machines on which to install their malware—capable of everything from running commands to recording keystrokes—suggests that CarderBee may have combed thousands of potential victims to specifically target those users, O’Brien argues. Symantec declined to name the targeted victims or say whether they were largely government or private sector companies.
The Cobra DocGuard application is distributed by EsafeNet, a company owned by the security firm Nsfocus, which was founded in China in 2000 but now describes its headquarters as Milpitas, California. Symantec says it can't explain how CarderBee managed to corrupt the company's application, which in many software supply chain attacks involves hackers breaching a software distributor to corrupt their development process. Nsfocus didn't respond to WIRED's request for comment.
Most PopularThe Top New Features Coming to Apple’s iOS 18 and iPadOS 18By Julian Chokkattu CultureConfessions of a Hinge Power UserBy Jason Parham GearHow Do You Solve a Problem Like Polestar?By Carlton Reid SecurityWhat You Need to Know About Grok AI and Your PrivacyBy Kate O'Flaherty
GearSymantec's discovery isn't actually the first time that Cobra DocGuard has been used to distribute malware. Cybersecurity firm ESET found that in September of last year a malicious update to the same application was used to breach a Hong Kong gambling company and plant a variant of the same Korplug code. ESET found that the gambling company also had been breached via the same method in 2021.
ESET pinned that earlier attack on the hacker group known as LuckyMouse, APT27, or Budworm, which is widely believed to be based in China and has for more than a decade targeted government agencies and government-related industries, including aerospace and defense. But despite the Korplug and CobraGuard connections, Symantec says it's too early to link the wider supply chain attack it has uncovered to the group behind the previous incidents.
“You can't rule out the idea that one APT group compromises this software, and then it becomes known that this software is vulnerable to this kind of compromise, and somebody else does it as well,” says Symantec's O'Brien, using the term APT to mean “advanced, persistent threat,” a common industry term for state-sponsored hacker groups. “We don't want to jump to conclusions.” O'Brien notes that another Chinese group, known as APT41 or Barium, has also carried out numerous supply chain attacks—perhaps more than any other team of hackers—and has used Korplug, too.
To add to the attack's stealth, the CarderBee hackers managed to somehow deceive Microsoft into lending extra legitimacy to their malware: They tricked the company into signing the Korplug backdoor with the certificates Microsoft uses in its Windows Hardware Compatibility Publisher program to designate trusted code, making it look far more legit than it is. That program typically requires a developer to register with Microsoft as a business entity and submit their code to Microsoft for approval. But the hackers appear to have obtained a Microsoft signature through either developer accounts they created themselves or obtained from other registered developers. Microsoft didn't respond to WIRED's request for more information on how it ended up signing malware used in the hackers' supply chain attack.
Malware that's signed by Microsoft is a long-running problem. Getting access to a registered developer account represents a hurdle to hackers, says Jake Williams, a former US National Security Agency hacker now on faculty at the Institute for Applied Network Security. But once that account is obtained, Microsoft is known to take a lax approach to vetting registered developers' code. “They typically sign whatever you, as the developer, submit,” Williams says. And those signatures can, in fact, make malware far harder to spot, he adds. “So many folks, when they threat-hunt, they start by exempting things that are signed by Microsoft,” Williams says.
That code-signing trick, combined with a well-executed supply chain attack, suggests a level of sophistication that makes CarderBee uniquely worthy of tracking, says Symantec's O'Brien—even for those outside of its current targeting in Hong Kong or Chinese neighbor countries. Regardless of whether you’re in China’s orbit, says O’Brien, “it’s certainly one to look out for.”