New analysis from cybersecurity firm Volexity revealed particulars a few extremely refined assault deployed by a Chinese language-speaking cyberespionage risk actor named StormBamboo.
StormBamboo compromised an ISP to switch some DNS solutions to queries from programs requesting official software program updates. A number of software program distributors had been focused. The altered responses led to malicious payloads served by StormBamboo along with the official replace recordsdata. The payloads focused each macOS and Microsoft Home windows working programs.
Who’s StormBamboo?
StormBamboo — also referred to as Evasive Panda, Daggerfly, or Bronze Highland — is a China-aligned cyberespionage risk actor, energetic since at the very least 2012. The Chinese language-speaking group has focused many organizations that align with Chinese language pursuits worldwide.
Over time, the group has focused people in mainland China, Hong Kong, Macao, and Nigeria. Moreover, it has focused entities, together with governments, in Southeast Asia, East Asia, the U.S., India, and Australia.
The group has an extended historical past of compromising official infrastructures to contaminate their targets with customized malware developed for Microsoft Home windows and macOS working programs. The group has deployed watering gap assaults, consisting of compromising a particular web site to focus on its guests and infect them with malware.
StormBamboo can also be able to operating provide chain assaults, reminiscent of compromising a software program platform, to discreetly infect folks with malware.
The group can also be able to focusing on Android customers.
ISP compromised, DNS responses poisoned
The risk actor managed to compromise a goal’s ISP infrastructure to regulate the DNS responses from that ISP’s DNS servers.
DNS servers principally include translating domains to IP addresses, main them to the right web site. An attacker controlling the server may cause the computer systems to request a specific area identify to an attacker-controlled IP deal with. That is precisely what StormBamboo did.
Whereas it’s not recognized how the group compromised the ISP, Volexity reported the ISP rebooted and took varied elements of its community offline, which instantly stopped the DNS poisoning operation.
The attacker aimed toward altering DNS solutions for a number of totally different official software replace web sites.
SEE: Why your organization ought to think about implementing DNS safety extensions
Paul Rascagneres, risk researcher at Volexity and an creator of the publication, instructed TechRepublic in a written interview the corporate doesn’t precisely know the way the risk actors selected the ISP.
“The attackers probably did some research or reconnaissance to identify what is the victim’s ISP,” he wrote. “We don’t know if other ISPs have been compromised; it is complicated to identify it from the outside. StormBamboo is an aggressive threat actor. If this operating mode was a success for them, they could use it on other ISPs for other targets.”
Respectable replace mechanisms being abused
A number of software program distributors have been focused by this assault.
As soon as a DNS request from customers was despatched to the compromised DNS server, it answered with an attacker-controlled IP deal with that delivered an actual replace for the software program — but with an attacker’s payload.
The Volexity report confirmed that a number of software program distributors utilizing insecure replace workflows had been involved and supplied an instance with a software program named 5KPlayer.
The software program checks for updates for “YoutubeDL” each time it’s began. The test is finished by requesting a configuration file, which signifies if a brand new model is out there. If that’s the case, it’s downloaded from a particular URL and executed by the official software.
But the compromised ISP’s DNS will lead the appliance to a modified configuration file, which signifies there may be an replace, however delivers a backdoored YoutubeDL bundle.
The malicious payload is a PNG file containing both MACMA or POCOSTICK/MGBot malware, relying on the working system requesting the replace. MACMA infects MacOS, whereas POCOSTICK/MGBot infects Microsoft Home windows working programs.
Malicious payloads
POCOSTICK, also referred to as MGBot, is a customized malware presumably developed by StormBamboo, because it has not been utilized by another group, in response to ESET. The malware has existed since 2012 and consists of a number of modules enabling keylogging, file stealing, clipboard interception, audio streams seize, cookie, and credential theft.
Conversely, MACMA permits keylogging, sufferer machine fingerprinting, and display and audio seize. It additionally supplies a command line to the attacker and has file-theft capabilities. Google initially reported in 2021 the presence of MACMA malware, utilizing watering gap assaults to be deployed.
The Google assault was not attributed to a risk actor, but it focused guests of Hong Kong web sites for a media outlet and a outstanding pro-democracy labor and political group, in response to Google. This assault aligns with StormBamboo’s focusing on.
Volexity additionally seen important code similarities between the most recent MACMA model and one other malware household, GIMMICK, utilized by the StormCloud risk actor.
Lastly, in a single case following a sufferer’s macOS machine compromise, Volexity noticed the attacker deploy a malicious Google Chrome extension. The obfuscated code permits the attacker to exfiltrate the browser’s cookies to an attacker-controlled Google Drive account.
How can software program distributors shield customers from cyber threats?
Rascagneres instructed TechRepublic that Volexity recognized a number of focused insecure replace mechanisms from totally different software program: 5k Participant, Fast Heal, Sogou, Rainmeter, Partition Wizard, and Corel.
Questioned about how one can shield and enhance the replace mechanisms on the software program vendor stage, the researcher insists that “the software editors should enforce HTTPS update mechanism and check the SSL certificate of the website where the updates are downloaded. Additionally, they should sign the updates and check this signature before executing them.”
With the intention to assist corporations detect StormBamboo exercise on their programs, Volexity supplies YARA guidelines to detect the totally different payloads and recommends blocking the Indicators of Compromise the corporate supplies.
Disclosure: I work for Development Micro, however the views expressed on this article are mine.