05 August 2024Ravi LakshmananBrowser Security / Windows Security

Malicious software updates

Known as a China-linked threat actor. Avizio Panda In mid-2023, an unnamed Internet Service Provider (ISP) compromised to push out harmful software updates to target companies, highlighting a new level of sophistication associated with the group.

Evasive Panda, also known as Bronze Highland, Daggerfly and StormBamboo, is a cyber-espionage group active since at least 2012, using MgBot (aka POCOSTICK) and Nightdoor (aka NetMM and Suzafk) to steal sensitive information. using for .

Most recently there were threatening actors. Formally attributed For exploiting a macOS malware strain called MACMA, which has been observed in the wild as of 2021.

Cyber ​​security

“StormBamboo is a highly skilled and aggressive threat actor that compromises a third party (in this case, an ISP) to compromise the intended targets,” Volexte said. said In a report published last week.

“The variety of malware used by this threat actor in various campaigns indicates that, with payloads actively supported not only for MacOS and Windows, but also for network appliances, significant effort has been done.”

Public reporting by ESET and Symantec over the past two years Documentary Evasive Panda’s track record of using MgBot and orchestrating watering hole and supply chain attacks targeting Tibetan consumers.

This was also found. Targeted An international non-governmental organization (NGO) in mainland China delivers updates through channels of legitimate applications such as Tencent QQ with MgBot.

Malicious software updates

While it was speculated that the trojanized updates were either the result of a supply chain compromise of Tencent QQ’s update servers or a case of an adversary-in-the-middle (AitM) attack, Volcity’s analysis confirmed that This is the result of DNS poisoning. An attack at the ISP level.

Specifically, the threat is said to be altering DNS query responses for specific domains linked to automated software update mechanisms, going after software that has compromised insecure update mechanisms, e.g. Did not implement proper integrity checking of HTTP, or installers.

“It was discovered that StormBamboo poisoned DNS requests to deploy the malware through an HTTP automatic update mechanism and poisoned responses for legitimate hostnames used as second-stage, command-and-control (C2) servers. were done,” said researchers Anker Sini, Paul Rascaigners, Steven Adair, and Thomas Lancaster.

The attack chains are straightforward enough to exploit the insecure update mechanism to deliver MgBot or MACMA depending on the operating system used. Volexte said it notified the concerned ISP to remediate the DNS poisoning attack.

One example involves deploying a Google Chrome extension on a victim’s macOS device by editing a secure preferences file. The browser add-on purports to be a tool that loads a page in compatibility mode with Internet Explorer, but its primary purpose is to extract browser cookies to an adversary-controlled Google Drive account.

“An attacker can intercept DNS requests and poison them with malicious IP addresses, and then use this technique to abuse the automatic update mechanism that sends HTTP instead of HTTPS,” the researchers said. use,” the researchers said.

Did you find this article interesting? Follow us. Twitter And LinkedIn To read more exclusive content we post.





Source link