Cobra Docguard

Malware updated 7 months ago (2024-05-04T21:17:33.711Z)
Download STIX
Preview STIX
Cobra DocGuard, a software produced by Chinese firm EsafeNet for protecting, encrypting, and decrypting software, has been exploited in a series of malware attacks. The attackers compromised the software's update files to deliver malicious updates that infected targeted systems. The first known instance of this strategy occurred in September 2022 when a Hong Kong-based gambling company was targeted by a Chinese-linked hacking effort known as LuckyMouse (also tracked as APT27, Emissary Panda, and Bronze Union). Additionally, Cobra DocGuard was used in combination with another malware called PlugX, or Korplug, in some of these attacks. The malware campaign saw the installation of a compromised version of Cobra DocGuard on approximately 2,000 computers, but active malicious activity was only observed on around 100 machines within impacted organizations. This suggests that the attackers were selectively targeting specific victims. The attack chain involved the delivery of the malicious Cobra DocGuard version to a specific location on the infected computers. While most victims were based in Hong Kong, others were scattered across Asia. Despite knowing that Cobra DocGuard was exploited, researchers are still uncertain how the attackers gained access to the client software to use it in this manner. The unknown actors behind this campaign have been dubbed "Carderbee" by the Symantec Threat Hunter Team, part of Broadcom. They noted that Carderbee compromised a Cobra DocGuard software update file with the aim of deploying the Korplug backdoor. In a related development, EclecticIQ reported that the compromised Cobra DocGuard web server hosted a GO-based backdoor known as "ChargeWeapon". It is not the first time that threat actors have used Cobra DocGuard in a supply chain campaign, raising concerns about the security of the software and the potential for its continued exploitation.
Description last updated: 2024-05-04T20:26:27.049Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Cobra is a possible alias for Cobra Docguard. Cobra is a type of malware, short for malicious software, designed to exploit and damage computer systems or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Cobra has the potential to steal personal information, disrup
3
Carderbee is a possible alias for Cobra Docguard. Carderbee, a previously unknown Advanced Persistent Threat (APT) group, has been identified as the perpetrator behind a series of supply chain attacks against organizations in Hong Kong and other regions in Asia. The Symantec Threat Hunter Team reported that Carderbee used a malware-infused version
3
Emissary Panda is a possible alias for Cobra Docguard. Emissary Panda, also known as APT27, Iron Tiger, Bronze Union, Budworm, Lucky Mouse, and Red Phoenix, is a threat actor linked to China. This group has been involved in cyberespionage activities with the primary goal of stealing intellectual property from organizations in sectors that China perceive
2
Korplug is a possible alias for Cobra Docguard. Korplug, also known as PlugX, is a type of malware developed and utilized by the China-aligned Advanced Persistent Threat (APT) group, Mustang Panda. This malicious software is designed to infiltrate computer systems without detection, often through suspicious downloads, emails, or websites. Once in
2
LuckyMouse is a possible alias for Cobra Docguard. LuckyMouse, also known as Budworm, Emissary Panda, and APT27, is a threat actor that has been involved in several high-profile cyber-espionage activities. The group has demonstrated its ability to develop and deploy advanced cyber tools, targeting various operating systems including MacOS, Linux, an
2
APT27 is a possible alias for Cobra Docguard. APT27, also known as Emissary Panda or Iron Taurus, is a threat actor suspected to be associated with China and has been involved in cyber operations primarily aimed at intellectual property theft. The group targets organizations globally, including those in North and South America, Europe, and the
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Symantec
Apt
Encrypt
Chinese
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Cobra Docguard Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago