A China-based cyber espionage group compromised an internet service provider (ISP) to spread malware in 2023, researchers said on Friday, confirming an earlier report about the same operation.
Analysts at Volexity said The hacking operation — known as Evasive Panda, Bronze Highland, Daggerfly and Storm Bamboo — was indeed conducting “adversary-in-the-middle” attacks in 2023 as it infected Mac and Windows systems. In such cases, a device gets between a device and an otherwise trusted server to deliver malicious code.
Researchers at a different company, ESET, attributed at least A malware infection to Evasive Panda in 2023, but it could only be assumed that it was a hostile attack in the middle.
Volexti said his analysis showed that Evasive Panda had compromised the target’s ISP and was poisoning DNS requests — the basic communications that help devices reach Internet addresses.
“Volexity notified and worked with the ISP, which investigated the various key devices providing traffic routing services on its network,” Volexity said. “As soon as the ISP rebooted and took various network components offline, the DNS poisoning stopped immediately.”
Attackers used this vulnerability to introduce information-stealing malware known as MgBot or Pocostick (for Windows machines) and Macma (for macOS devices). MgBot, in particular, has been a go-to tool for Evasive Panda for over a decade. ESET has used MgBot against the Tibetan population of China. Earlier this year.
Volexte said that in the 2023 scenarios it analyzed, some apps would request updates but users’ devices would get MgBot and Macma instead.
“StormBamboo appeared to target software that used insecure update mechanisms such as HTTP, and did not properly validate the digital signatures of installers,” said Voleksti.
Evasive Panda is a “highly skilled and aggressive threat actor,” the researchers said, with a wide variety of malware at hand and “significant effort” invested in operations.
Recorded future
Intelligence Cloud.