Carderbee: APT Group use Legit Software in Supply Chain Attack Targeting Orgs in Hong Kong

MITRE Techniques

• [T1195] Supply Chain Compromise – Used Cobra DocGuard software to carry out a supply chain attack with the goal of deploying the Korplug backdoor onto victim computers. “A previously unknown advanced persistent threat (APT) group used the legitimate Cobra DocGuard software to carry out a supply chain attack with the goal of deploying the Korplug backdoor (aka PlugX) onto victim computers.”
• [T1218] Signed Binary Proxy Execution – Used a downloader signed with a legitimate Microsoft certificate to install Korplug. “a downloader deployed by the attackers had a digitally signed certificate from Microsoft, called Microsoft Windows Hardware Compatibility Publisher.”
• [T1105] Ingress Tool Transfer – Downloader downloaded update.zip from a remote location to install the dropper. “The downloader attempted to download a file named update.zip from the following location: http://cdn.stream-amazon[.]com/update.zip.” The update.zip file is a zlib compressed archive file. It decompresses and executes a file named content.dll.
• [T1543.003] Create or Modify System Process: Windows Service – The dropper creates services and registry entries. “The dropper creates services and registry entries.”
• [T1055] Process Injection – The payload is injected into svchost.exe. “The dropped drivers read encrypted data from the registry, decrypt it, and inject it into svchost.exe.”
• [T1012] Query Registry – The dropper reads encrypted data from the registry to decrypt payload. “The dropped drivers read encrypted data from the registry, decrypt it, and inject it into svchost.exe.”
• [T1562.004] Impair Defenses: Modify Firewall – The Korplug payload opens firewall ports. “Open firewall ports.”
• [T1036] Masquerading – The use of a magic header ‘ESET’ to bypass ESET products. “magic header “ESET”, indicating that it may have been modified to try to bypass ESET products.”
• [T1027] Obfuscated/Compressed Files and Information – The update.zip is a zlib compressed archive; it decompresses and executes content.dll. “The update.zip file is a zlib compressed archive file. It decompresses and executes a file named content.dll.”
• [T1059.003] Command and Scripting Interpreter – The Korplug backdoor can execute commands via cmd. “Execute commands via cmd”
• [T1083] File and Directory Discovery – The backdoor can enumerate files. “Enumerate files”
• [T1056.001] Keylogging – The backdoor can act as a keylogger. “Act as a keylogger”