Cobra Docguard

Malware updated 4 months ago (2024-05-04T21:17:33.711Z)

Download STIX

Preview STIX

Cobra DocGuard, a software produced by Chinese firm EsafeNet for protecting, encrypting, and decrypting software, has been exploited in a series of malware attacks. The attackers compromised the software's update files to deliver malicious updates that infected targeted systems. The first known instance of this strategy occurred in September 2022 when a Hong Kong-based gambling company was targeted by a Chinese-linked hacking effort known as LuckyMouse (also tracked as APT27, Emissary Panda, and Bronze Union). Additionally, Cobra DocGuard was used in combination with another malware called PlugX, or Korplug, in some of these attacks. The malware campaign saw the installation of a compromised version of Cobra DocGuard on approximately 2,000 computers, but active malicious activity was only observed on around 100 machines within impacted organizations. This suggests that the attackers were selectively targeting specific victims. The attack chain involved the delivery of the malicious Cobra DocGuard version to a specific location on the infected computers. While most victims were based in Hong Kong, others were scattered across Asia. Despite knowing that Cobra DocGuard was exploited, researchers are still uncertain how the attackers gained access to the client software to use it in this manner. The unknown actors behind this campaign have been dubbed "Carderbee" by the Symantec Threat Hunter Team, part of Broadcom. They noted that Carderbee compromised a Cobra DocGuard software update file with the aim of deploying the Korplug backdoor. In a related development, EclecticIQ reported that the compromised Cobra DocGuard web server hosted a GO-based backdoor known as "ChargeWeapon". It is not the first time that threat actors have used Cobra DocGuard in a supply chain campaign, raising concerns about the security of the software and the potential for its continued exploitation.

Description last updated: 2024-05-04T20:26:27.049Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Cobra	3	Cobra is a type of malware, short for malicious software, designed to exploit and damage computer systems or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Cobra has the potential to steal personal information, disrup
Carderbee	3	Carderbee, a previously unknown Advanced Persistent Threat (APT) group, has been identified as the perpetrator behind a series of supply chain attacks against organizations in Hong Kong and other regions in Asia. The Symantec Threat Hunter Team reported that Carderbee used a malware-infused version
Emissary Panda	2	Emissary Panda, also known as APT27, Iron Tiger, Bronze Union, Lucky Mouse, and Budworm, is a notable threat actor linked to China. This group has been engaged in the theft of intellectual property from organizations in sectors that China perceives as being of vital strategic interest. The group has
Korplug	2	Korplug, also known as PlugX, is a type of malware developed and utilized by the China-aligned Advanced Persistent Threat (APT) group, Mustang Panda. This malicious software is designed to infiltrate computer systems without detection, often through suspicious downloads, emails, or websites. Once in
LuckyMouse	2	LuckyMouse, also known as Budworm, Emissary Panda, and APT27, is a threat actor that has been involved in several high-profile cyber-espionage activities. The group has demonstrated its ability to develop and deploy advanced cyber tools, targeting various operating systems including MacOS, Linux, an
APT27	2	APT27, also known as Iron Taurus, is a threat actor group suspected to be attributed to China. Engaging in cyber operations with the primary goal of intellectual property theft, APT27 targets organizations globally, with a focus on North and South America, Europe, and the Middle East. The group's mo

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Backdoor

Symantec

Apt

Encrypt

Chinese

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Cobra Docguard Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Cyber Security Week in Review: August 25, 2023
CERT-EU	a year ago	Chinese State-Sponsored Cyber Espionage Activity Targeting Semiconductor Industry in East Asia
CERT-EU	a year ago	Years into these games’ histories, attackers are still creating “Fortnite” and “Roblox”-related scams
CERT-EU	a year ago	Previously unknown hacking group targets Hong Kong organizations in supply chain cyberattack
Securityaffairs	a year ago	Carderbee APT targets Hong Kong orgs via supply chain attacks
InfoSecurity-magazine	a year ago	New Chinese APT Group Launches Supply Chain Attacks
CERT-EU	a year ago	Carderbee Hacking Group Uses Legitimate Software in Supply Chain Attack
CERT-EU	a year ago	New ‘Carderbee’ APT Targeted Chinese Security Software in Supply Chain Attack
CERT-EU	a year ago	Chinese APT Targets Hong Kong in Supply Chain Attack
CERT-EU	a year ago	The Week in Security: WinRAR exploit targets traders, malicious npm packages go after game devs
BankInfoSecurity	a year ago	Threat Actor Targets Hong Kong With Korplug Backdoor
CERT-EU	a year ago	Novel Carderbee supply chain attack impacts Asian organizations
CERT-EU	a year ago	Carderbee: APT Group use Legit Software in Supply Chain Attack Targeting Orgs in Hong Kong
CERT-EU	a year ago	Chinese Hackers Attacking Semiconductor Industries using Cobalt Strike beacon
CERT-EU	a year ago	Semiconductor firms targeted by Chinese hackers
CERT-EU	a year ago	China-linked cyberspies backdoor semiconductor firms with Cobalt Strike