Carderbee APT Group and SEP coverage
search cancel

Carderbee APT Group and SEP coverage

book

Article ID: 272194

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Carderbee APT Group and SEP coverage 

Environment

Release: Symantec Endpoint Protection 14.3.* 

Cause

A previously unknown advanced persistent threat (APT) group dubbed as Carderbee used the legitimate Cobra DocGuard software to carry out a supply chain attack with the goal of deploying the Korplug backdoor (aka PlugX) onto victim computers. In the course of this attack, the attackers used malware signed with a legitimate Microsoft certificate. Most of the victims in this campaign are based in Hong Kong, with some victims based in other regions of Asia.
Read more in our blog:  Carderbee: APT Group uses Legit Software in Supply Chain Attack Targeting Orgs in Hong

Resolution

Symantec protects you from this threat, identified by the following:

  1. Behavior-based
    AGR.Terminate!g2
    SONAR.TCP!gen6
  2. File-based
    Downloader
    Hacktool
    Trojan Horse
    Trojan.Dropper
    Trojan.Gen.MBT
    WS.Malware.2
  3. Machine Learning-based
    Heur.AdvML.A!300
    Heur.AdvML.A!400
    Heur.AdvML.A!500
    Heur.AdvML.B
    Heur.AdvML.B!100
    Heur.AdvML.B!200
    Heur.AdvML.C
  4. Web-based
    Observed domains/IPs are covered under security categories in all WebPulse enabled products
Powered by Wolken Software