In a recent supply chain infiltration aimed at implanting the Korplug backdoor (also known as PlugX) into targeted systems, an unidentified APT group has been observed leveraging the “Cobra DocGuard” software.
Cobra DocGuard, developed by the Chinese company “EsafeNet,” serves as a legitimate software solution for managing Consolidated Omnibus Budget Reconciliation Act documents.
Symantec cybersecurity experts uncovered that the perpetrators associated with this APT group, dubbed “Carderbee,” employed a valid Microsoft certificate to sign their malicious software.
As outlined in a report disclosed to Cyber Security News, the primary targets of this supply chain attack were predominantly located in Hong Kong, with additional victims scattered across various Asian regions.
The Attack Sequence Earlier in April 2023, Symantec’s Threat Hunter Team stumbled upon a signed version of Korplug; however, attribution to Budworm (also known as LuckyMouse or APT27) couldn’t be confirmed at the time.
While multiple APT groups, such as APT41 and Budworm, are known to utilize the Korplug backdoor, researchers have yet to pinpoint their specific industry targets, only identifying their geographical presence.
During this recent campaign, around 100 computers within affected organizations exhibited signs of malicious activity. Notably, while Cobra DocGuard was present on 2,000 computers, the focus appears to have been on targeted payload delivery.
The infection’s localization on computers strongly suggests either a supply chain breach or a malicious setup of Cobra DocGuard as the means of compromise.
Throughout 2023, numerous malware strains surfaced via this vector. Noteworthy is a Microsoft-signed downloader installing the Korplug backdoor from the following URL:
http://cdn.stream-amazon[.]com/update.zip
The aforementioned .zip file, a Zlib archive, decompresses and executes content.dll, functioning as a dropper for x64 and x86 drivers depending on the system’s architecture.
Capabilities of the Korplug Sample The Korplug sample detected exhibited the following functionalities:
- Execute commands via cmd
- Enumerate files
- Check running processes
- Download files
- Open firewall ports
- Act as a keylogger
Indicators Of Compromise
SHA256 File Hashes:
- 96170614bbd02223dc79cec12afb6b11004c8edb8f3de91f78a6fc54d0844622
- 19a6a404605be964ab87905d59402e2890460709a1d9038c66b3fbeedc1a2343
- 1ff7b55dde007b7909f43dd47692f7c171caa2897d663eb9db01001062b1fe9d
- 2400d8e66c652f4f8a13c99a5ffb67cb5c0510144b30e93122b1809b58614936
- 2f714aaf9e3e3e03e8168fe5e22ba6d8c1b04cbfa3d37ff389e9f1568a80cad4
- 47b660bbaacb2a602640b5e2c589a3adc620a0bfc9f0ecfb8d813a803d7b75e2
- 5467e163621698b38c2ba82372bac110cea4121d7c1cec096958a4d9eaa44be7
- 7e6d0f14302662f52e4379eb5b69a3749d8597e8f61266aeda74611258972a3d
- 85fc7628c5c7190f25da7a2c7ee16fc2ad581e1b0b07ba4ac33cff4c6e94c8af
- 8bd40da84c8fa5f6f8e058ae7e36e1023aca1b9a9c8379704934a077080da76f
- 8ca135b2f4df6a714b56c1a47ac5baa80a11c6a4fcc1d84a047d77da1628f53f
- 9e96f70ce312f2638a99cfbd3820e85798c0103c7dc06fe0182523e3bf1e2805
- 9fc49d9f4b922112c2bafe3f1181de6540d94f901b823e11c008f6d1b2de218c
- b5159f8ae16deda7aa5d55100a0eac6e5dacd1f6502689b543513a742353d1ea
- b7b8ea25786f8e82aabe4a4385c6142d9afe03f090d1433d0dc6d4d6ccc27510
- b84f68ab098ce43f9cb363d0a20a2267e7130078d3d2d8408bfb32bbca95ca37
- f64267decaa982c63185d92e028f52c31c036e85b2731a6e0bccdb8f7b646e97