Carderbee

Threat Actor updated 4 months ago (2024-05-04T21:17:45.442Z)

Download STIX

Preview STIX

Carderbee, a previously unknown Advanced Persistent Threat (APT) group, has been identified as the perpetrator behind a series of supply chain attacks against organizations in Hong Kong and other regions in Asia. The Symantec Threat Hunter Team reported that Carderbee used a malware-infused version of Cobra DocGuard, a legitimate software produced by Chinese firm EsafeNet, to gain access to victims' networks. This sophisticated attack strategy involved compromising the Cobra DocGuard software update file with the intent of deploying the widely-used Korplug backdoor malware. The Carderbee group was found to be using a legitimate Microsoft certificate to sign malware, further complicating the detection and mitigation process. This activity aligns with an ongoing trend of high-profile supply chain attacks targeting various sectors over the past year, including the MOVEit, X_Trader, and 3CX attacks. Despite the similarities between Carderbee's actions and those of other known China-backed adversaries, there is not enough evidence to definitively link this group to any known actors or nation-states. Several critical questions regarding Carderbee's activities remain unanswered, including the specific sectors targeted by the group and potential links between Carderbee and other threat actors like Budworm. While Carderbee's tactics resemble those typically employed by Chinese state-sponsored threat actors—especially the use of PlugX malware and the focus on Hong Kong targets—Symantec has yet to officially attribute Carderbee's operations to any particular country.

Description last updated: 2024-05-04T20:26:21.504Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Cobra Docguard	3	Cobra DocGuard, a software produced by Chinese firm EsafeNet for protecting, encrypting, and decrypting software, has been exploited in a series of malware attacks. The attackers compromised the software's update files to deliver malicious updates that infected targeted systems. The first known inst

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Symantec

Chinese

Malware

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Cobra	Unspecified	3	Cobra is a type of malware, short for malicious software, designed to exploit and damage computer systems or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Cobra has the potential to steal personal information, disrup

Source Document References

Information about the Carderbee Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	China-Linked ‘Redfly’ Group Targeted Power Grid
CERT-EU	a year ago	Carderbee Hacking Group Uses Legitimate Software in Supply Chain Attack
Securityaffairs	a year ago	Carderbee APT targets Hong Kong orgs via supply chain attacks
CERT-EU	a year ago	Carderbee: APT Group use Legit Software in Supply Chain Attack Targeting Orgs in Hong Kong
CERT-EU	a year ago	Previously unknown hacking group targets Hong Kong organizations in supply chain cyberattack
CERT-EU	a year ago	Chinese APT Targets Hong Kong in Supply Chain Attack
CERT-EU	a year ago	New ‘Carderbee’ APT Targeted Chinese Security Software in Supply Chain Attack
CERT-EU	a year ago	Les dernières cyberattaques (29 août 2023) • Cybersécurité
CERT-EU	a year ago	Cyber Security Week in Review: August 25, 2023
CERT-EU	a year ago	Years into these games’ histories, attackers are still creating “Fortnite” and “Roblox”-related scams
CERT-EU	a year ago	FBI: Patches for Recent Barracuda ESG Zero-Day Ineffective
BankInfoSecurity	a year ago	Threat Actor Targets Hong Kong With Korplug Backdoor
CERT-EU	a year ago	Novel Carderbee supply chain attack impacts Asian organizations
CERT-EU	a year ago	New 'Carderbee' APT Targeted Chinese Security Software in Supply Chain Attack \| Antivirus and Security news
InfoSecurity-magazine	a year ago	New Chinese APT Group Launches Supply Chain Attacks