Red Panda

A Chinese hacking group tracked as StormBamboo has compromised an unnamed Internet Service Provider (ISP) to poison automatic software updates with malware.

Also tracked as Evasive Panda, Daggerfly, and StormCloud, this cyber espionage group has been active since at least 2012, targeting organizations in mainland China, Hong Kong, Macau, Nigeria, and various Southeast and East Asian countries. Is.

On Friday, Vulxity vulnerability researchers revealed that a Chinese cyber espionage gang exploited a vulnerable HTTP software update mechanism that verifies digital signatures to deploy malware payloads on victims’ Windows and macOS devices. They didn’t.

“When these applications went to fetch their updates, instead of installing the required updates, they would install malware, including MACMA and POCOSTICK (aka MGBot),” cyber security company Vulxity said. Explained In a report published on Friday.

To do this, attackers intercept and modify victims’ DNS requests and poison them with malicious IP addresses. It delivered the malware from StormBamboo’s command and control servers to the target system without the need for user interaction.

For example, they leveraged 5KPlayer requests to update the youtube-dl dependency to push a backdoor installer hosted on their C2 servers.

After compromising the target’s systems, the threat actors installed a malicious Google Chrome extension (Reload Text), which allowed them to harvest and steal browser cookies and mail data.

Flow of storm bamboo attack
Volexity

The researchers added, “Volexity observed StormBamboo targeting multiple software vendors, who use insecure update workflows, and use varying levels of sophistication in their steps to push the malware. “, the researchers added.

“Volexity notified and worked with the ISP, which investigated various key devices providing traffic routing services on its network. As the ISP rebooted and took various network components offline , DNS poisoning stopped immediately.”

In April 2023ESET vulnerability researchers exploit the automatic update mechanism for the Tencent QQ messaging application in attacks targeting international NGOs (Non-Governmental Organizations) to deploy the Pocostick (MGBot) Windows backdoor. Also observed the hacking group.

About a year later, In July 2024Symantec’s threat hunting team observed Chinese hackers targeting an American NGO in China and multiple organizations in Taiwan with new Macma macOS backdoor and Nightdoor Windows malware versions.

In both cases, although the skill of the attackers was clear, researchers believed it was either a supply chain attack or an adversary-in-the-middle (AITM) attack but were unable to narrow down the exact method of attack. .



Source link