Carderbee

Description

(Symantec) A previously unknown advanced persistent threat (APT) group used the legitimate Cobra DocGuard software to carry out a supply chain attack with the goal of deploying the Korplug backdoor (aka PlugX) onto victim computers.

In the course of this attack, the attackers used malware signed with a legitimate Microsoft certificate. Most of the victims in this campaign are based in Hong Kong, with some victims based in other regions of Asia.

Korplug is known to be used by multiple APT groups, but we could not link this activity to a known threat actor so we have given the actor behind this activity a new name — Carderbee.

Names

Name	Name-Giver
Carderbee	Symantec

Country

China

Motivation

Information theft and espionage

First Seen

2023

Observed Countries

Hong Kong
Asia

Tools

Cobra DocGuard
PlugX

Information

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse

Other Information

Uuid

15acd737-0ced-4e06-a285-42e1390d5452

Last Card Change

2023-09-06

Threat Intelligence Garden

Explorer

Carderbee

Carderbee

Description

Names

Country

Motivation

First Seen

Observed Countries

Tools

Information

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks