Carderbee Hackers Abuse Microsoft Signing Keys in Supply Chain Attacks

Security hero image

Key takeaways:

  • The Carderbee hacking group employed a novel supply chain attack, leveraging legitimate software to infiltrate around 100 computers with the malicious PlugX backdoor.
  • The attackers managed to compromise Microsoft’s digital keys to sign their rootkit malware and gain access to enterprise networks.
  • The attack showcased a high level of strategic planning, with Carderbee selectively deploying their payload on only a fraction of compromised computers.

Security researchers have exposed a new supply chain attack that targeted entities across Asia, with a particular focus on Hong Kong. An unidentified hacking group, named Carderbee, employed an ingenious tactic — exploiting legitimate software — to infect around 100 computers with the PlugX/Korplug backdoor.

According to the Symantec Threat Hunter Team, the hackers hijacked Microsoft’s digital keys to sign the rootkit malware. They used a compromised version of Cobra DocGuard to gain access to victims’ corporate networks. The tool is developed by EsafeNet and it allows users to encrypt and decrypt applications to prevent tampering.

Then, the hacking group delivered the signed version of the PlugX backdoor (also known as Korplug) to Cobra DocGuard customers. The backdoor allowed the attackers to run commands, enumerate files and run processes, download files, open firewall ports, as well as log keystrokes.

“It seems clear that the attackers behind this activity are patient and skilled actors,” Symantec researchers wrote. “They leverage both a supply chain attack and signed malware to carry out their activity in an attempt to stay under the radar. The fact that they appear to only deploy their payload on a handful of the computers they gain access to also points to a certain amount of planning and reconnaissance on behalf of the attackers behind this activity.”

The security researchers identified the malicious activity on around 100 computers. However, it’s important to note that the Cobra DocGuard software was installed on approximately 2000 systems. This means that the payloads were delivered to select victims within targeted organizations.

How to protect organizations against supply chain attacks

It’s not the first time that Carderbee has used Microsoft certificates to sign its malware. Last month, Sophos disclosed 100 malicious drivers that were digitally signed by Microsoft via its hardware compatibility program. Meanwhile, Microsoft suspended several developer accounts involved in obtaining signed malicious drivers and added them to a block list.

Security researchers recommend that organizations should monitor malicious activities and block all suspicious applications. They should also implement zero-trust policies and network segmentation to reduce their overall attack surface. This approach can help to prevent lateral movement that can infect the entire corporate network.