China-Linked Hackers Breach ISP for Distributing Malicious Software Updates
The hacker group associated with China, named Evasive Panda, infiltrated an undisclosed internet service provider (ISP) to introduce harmful software updates to specific organizations in mid-2023. This incident showcases a heightened level of sophistication linked with the group.
Evasive Panda, alternatively known as Bronze Highland, Daggerfly, and StormBamboo, is a cyber espionage cohort that has been operational since at least 2012. They utilize entry points like MgBot (also known as POCOSTICK) and Nightdoor (also known as NetMM and Suzafk) to collect confidential data.
Recent findings have attributed the group to the utilization of a macOS malware variant called MACMA, which has been spotted in the wild since 2021, as per reports by reliable sources.
“StormBamboo is a proficient and assertive threat actor that infiltrates intermediaries (such as ISPs) to access desired targets,” mentioned Volexity in a published report last week.
“The array of malware types employed in different campaigns by this group signifies substantial dedication, with continuously updated payloads not limited to macOS and Windows but also encompassing network gadgets.”
Public disclosures from ESET and Symantec within the last couple of years have reported Evasive Panda’s utilization of MgBot and their history of orchestrating attacks on Tibetan users through watering hole and supply chain strategies.
Furthermore, they were observed to have focused their efforts on an international non-governmental organization (NGO) within Mainland China by distributing MgBot through authentic applications like Tencent QQ’s update channels.
While initial speculation pointed to compromised Tencent QQ update servers or a potential adversary-in-the-middle (AitM) attack for the tainted updates, Volexity’s investigation confirmed the latter, originating from a DNS poisoning tactic at the ISP level.
Specifically, the hacktivist is modifying DNS query responses for certain domains associated with outdated software update mechanisms, targeting software that relies on insecure update methods, like HTTP, or lacks sufficient installer integrity checks.
“It was identified that StormBamboo manipulated DNS requests to disperse malware via an HTTP automatic update system and manipulated responses for legitimate hostnames utilized as auxiliary command-and-control (C2) servers,” detailed researchers Ankur Saini, Paul Rascagneres, Steven Adair, and Thomas Lancaster.
The attack scenarios are relatively simple in that the unsecure update mechanisms are exploited to deliver either MgBot or MACMA, depending on the OS in use. Volexity disclosed that they informed the relevant ISP to rectify the DNS poisoning attack.
In one instance, a Google Chrome extension was installed on the victim’s macOS device by adjusting the Secure Preferences file. The extension claims to be a tool that loads a page in Internet Explorer compatibility mode, but its primary aim is to extract browser cookies to a Google Drive account controlled by the adversary.
“The attacker can intercept DNS requests and manipulate them with malicious IP addresses, utilizing this method to exploit unsecured automatic update mechanisms that rely on HTTP instead of HTTPS,” stated the researchers.
About Author
