🇨🇳

Carderbee

APT Group Information theft and espionage ETDA ✓

Also Known As

No alias recorded

Target Countries 2

Countries highlighted in red

Hong Kong United States

Sectors Targeted

Computer Systems Design and Related Services 54151

Details

Origin 🇨🇳 CN

Last Updated 08 Nov 2023

MITRE ATT&CK 26

T1012 - Query Registry T1016 - System Network Configuration Discovery T1027 - Obfuscated Files or Information T1033 - System Owner/User Discovery T1049 - System Network Connections Discovery T1055 - Process Injection T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.003 - Windows Command Shell T1071.001 - Web Protocols T1082 - System Information Discovery T1083 - File and Directory Discovery T1102.002 - Bidirectional Communication T1105 - Ingress Tool Transfer T1106 - Native API T1124 - System Time Discovery T1140 - Deobfuscate/Decode Files or Information T1204 - User Execution T1204.001 T1204.002 - Malicious File T1547.001 - Registry Run Keys / Startup Folder T1566 - Phishing T1573 - Encrypted Channel T1573.002 - Asymmetric Cryptography T1574 - Hijack Execution Flow T1574.002 - DLL Side-Loading

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 1 entries

Carderbee Symantec

Observed Target Countries 2

Based on ETDA data — countries highlighted in red

Hong Kong Asia

Description

(Symantec) A previously unknown advanced persistent threat (APT) group used the legitimate Cobra DocGuard software to carry out a supply chain attack with the goal of deploying the Korplug backdoor (aka PlugX) onto victim computers. In the course of this attack, the attackers used malware signed with a legitimate Microsoft certificate. Most of the victims in this campaign are based in Hong Kong, with some victims based in other regions of Asia. Korplug is known to be used by multiple APT groups, but we could not link this activity to a known threat actor so we have given the actor behind this activity a new name — Carderbee.

Tools Used 2

Cobra DocGuard PlugX

Reports & References 1

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse

ETDA Profile

Carderbee

Origin

China

First Seen 2023

Motivation

Information theft and espionage

View on ETDA APT Groups ↗