Carderbee

Threat Actor updated 7 months ago (2024-05-04T21:17:45.442Z)
Download STIX
Preview STIX
Carderbee, a previously unknown Advanced Persistent Threat (APT) group, has been identified as the perpetrator behind a series of supply chain attacks against organizations in Hong Kong and other regions in Asia. The Symantec Threat Hunter Team reported that Carderbee used a malware-infused version of Cobra DocGuard, a legitimate software produced by Chinese firm EsafeNet, to gain access to victims' networks. This sophisticated attack strategy involved compromising the Cobra DocGuard software update file with the intent of deploying the widely-used Korplug backdoor malware. The Carderbee group was found to be using a legitimate Microsoft certificate to sign malware, further complicating the detection and mitigation process. This activity aligns with an ongoing trend of high-profile supply chain attacks targeting various sectors over the past year, including the MOVEit, X_Trader, and 3CX attacks. Despite the similarities between Carderbee's actions and those of other known China-backed adversaries, there is not enough evidence to definitively link this group to any known actors or nation-states. Several critical questions regarding Carderbee's activities remain unanswered, including the specific sectors targeted by the group and potential links between Carderbee and other threat actors like Budworm. While Carderbee's tactics resemble those typically employed by Chinese state-sponsored threat actors—especially the use of PlugX malware and the focus on Hong Kong targets—Symantec has yet to officially attribute Carderbee's operations to any particular country.
Description last updated: 2024-05-04T20:26:21.504Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Cobra Docguard is a possible alias for Carderbee. Cobra DocGuard, a software produced by Chinese firm EsafeNet for protecting, encrypting, and decrypting software, has been exploited in a series of malware attacks. The attackers compromised the software's update files to deliver malicious updates that infected targeted systems. The first known inst
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Symantec
Chinese
Malware
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Cobra Malware is associated with Carderbee. Cobra is a type of malware, short for malicious software, designed to exploit and damage computer systems or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Cobra has the potential to steal personal information, disrupUnspecified
3
Source Document References
Information about the Carderbee Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago