New analysis from cybersecurity firm Volexity revealed particulars a couple of extremely refined assault deployed by a Chinese-speaking cyberespionage risk actor named StormBamboo.
The risk actor compromised an ISP to switch some DNS solutions to queries from programs requesting professional software program updates. Multiple software program distributors have been focused. The altered responses led to malicious payloads served by StormBamboo along with the professional replace recordsdata. The payloads focused each macOS and Microsoft Windows working programs.
Who is StormBamboo?
StormBamboo — also referred to as Evasive Panda, Daggerfly, or Bronze Highland — is a China-aligned cyberespionage risk actor, lively since not less than 2012. The Chinese-speaking group has focused many organizations that align with Chinese pursuits worldwide.
Over the years, the group has focused people in mainland China, Hong Kong, Macao, and Nigeria. Additionally, it has focused entities, together with governments, in Southeast Asia, East Asia, the U.S., India, and Australia.
Must-read safety protection
The group has an extended historical past of compromising professional infrastructures to contaminate their targets with customized malware developed for Microsoft Windows and macOS working programs. The group has deployed watering gap assaults, consisting of compromising a selected web site to focus on its guests and infect them with malware.
StormBamboo can be able to operating provide chain assaults, reminiscent of compromising a software program platform, to discreetly infect folks with malware.
The group can be able to concentrating on Android customers.
ISP compromised, DNS responses poisoned
The risk actor managed to compromise a goal’s ISP infrastructure to regulate the DNS responses from that ISP’s DNS servers — principally consisting of translating domains to IP addresses, main them to the proper web site. An attacker controlling the server may cause the computer systems to request a specific area identify to an attacker-controlled IP tackle. This is strictly what StormBamboo did.
While it’s not identified how the group compromised the ISP, Volexity reported the ISP rebooted and took numerous parts of its community offline, which instantly stopped the DNS poisoning operation.
The attacker geared toward altering DNS solutions for a number of totally different professional utility replace web sites.
SEE: Why your organization ought to contemplate implementing DNS safety extensions
Paul Rascagneres, risk researcher at Volexity and an writer of the publication, instructed TechRepublic in a written interview the corporate doesn’t precisely know the way the risk actors selected the ISP.
“The attackers probably did some research or reconnaissance to identify what is the victim’s ISP,” he wrote. “We don’t know if other ISPs have been compromised; it is complicated to identify it from the outside. StormBamboo is an aggressive threat actor. If this operating mode was a success for them, they could use it on other ISPs for other targets.”
Legitimate replace mechanisms being abused
Multiple software program distributors have been focused by this assault.
Once a DNS request from customers was despatched to the compromised DNS server, it answered with an attacker-controlled IP tackle that delivered an actual replace for the software program — but with an attacker’s payload.
Attack workflow. Image: Volexity
The Volexity report confirmed that a number of software program distributors utilizing insecure replace workflows have been involved and offered an instance with a software program named 5KPlayer.
The software program checks for updates for “YoutubeDL” each time it’s began. The examine is completed by requesting a configuration file, which signifies if a brand new model is out there. If so, it’s downloaded from a selected URL and executed by the professional utility.
Yet the compromised ISP’s DNS will lead the applying to a modified configuration file, which signifies there’s an replace, however delivers a backdoored YoutubeDL bundle.
The malicious payload is a PNG file containing both MACMA or POCOSTICK/MGBot malware, relying on the working system requesting the replace. MACMA infects MacOS, whereas POCOSTICK/MGBot infects Microsoft Windows working programs.
Malicious payloads
POCOSTICK, also referred to as MGBot, is a customized malware probably developed by StormBamboo, because it has not been utilized by another group, in line with ESET. The malware has existed since 2012 and consists of a number of modules enabling keylogging, file stealing, clipboard interception, audio streams seize, cookie, and credential theft.
Conversely, MACMA permits keylogging, sufferer machine fingerprinting, and display and audio seize. It additionally gives a command line to the attacker and has file-theft capabilities. Google initially reported in 2021 the presence of MACMA malware, utilizing watering gap assaults to be deployed.
The Google assault was not attributed to a risk actor, but it focused guests of Hong Kong web sites for a media outlet and a outstanding pro-democracy labor and political group, in line with Google. This assault aligns with StormBamboo’s concentrating on.
Volexity additionally seen important code similarities between the most recent MACMA model and one other malware household, GIMMICK, utilized by the StormCloud risk actor.
Finally, in a single case following a sufferer’s macOS machine compromise, Volexity noticed the attacker deploy a malicious Google Chrome extension. The obfuscated code permits the attacker to exfiltrate the browser’s cookies to an attacker-controlled Google Drive account.
How can software program distributors shield customers from cyber threats?
Rascagneres instructed TechRepublic that Volexity recognized a number of focused insecure replace mechanisms from totally different software program: 5k Player, Quick Heal, Sogou, Rainmeter, Partition Wizard, and Corel.
Questioned about the way to shield and enhance the replace mechanisms on the software program vendor stage, the researcher insists that “the software editors should enforce HTTPS update mechanism and check the SSL certificate of the website where the updates are downloaded. Additionally, they should sign the updates and check this signature before executing them.”
In order to assist corporations detect StormBamboo exercise on their programs, Volexity gives YARA guidelines to detect the totally different payloads and recommends blocking the Indicators of Compromise the corporate gives.
Disclosure: I work for Trend Micro, however the views expressed on this article are mine.