New analysis from cybersecurity firm Volexity revealed particulars a couple of highly sophisticated attack deployed by a Chinese-speaking cyberespionage threat actor named StormBamboo.
StormBamboo compromised an ISP to change some DNS solutions to queries from methods requesting reputable software program updates. A number of software program distributors had been focused. The altered responses led to malicious payloads served by StormBamboo along with the reputable replace recordsdata. The payloads focused each macOS and Microsoft Home windows working methods.
Who’s StormBamboo?
StormBamboo — also referred to as Evasive Panda, Daggerfly, or Bronze Highland — is a China-aligned cyberespionage risk actor, lively since not less than 2012. The Chinese language-speaking group has focused many organizations that align with Chinese language pursuits worldwide.
Over time, the group has focused people in mainland China, Hong Kong, Macao, and Nigeria. Moreover, it has focused entities, together with governments, in Southeast Asia, East Asia, the U.S., India, and Australia.
The group has a protracted historical past of compromising reputable infrastructures to contaminate their targets with customized malware developed for Microsoft Home windows and macOS working methods. The group has deployed watering hole attacks, consisting of compromising a selected web site to focus on its guests and infect them with malware.
StormBamboo can also be able to operating provide chain assaults, comparable to compromising a software program platform, to discreetly infect folks with malware.
The group can also be able to concentrating on Android customers.
ISP compromised, DNS responses poisoned
The risk actor managed to compromise a goal’s ISP infrastructure to regulate the DNS responses from that ISP’s DNS servers.
DNS servers largely encompass translating domains to IP addresses, main them to the proper web site. An attacker controlling the server may cause the computer systems to request a specific area title to an attacker-controlled IP tackle. That is precisely what StormBamboo did.
Whereas it isn’t identified how the group compromised the ISP, Volexity reported the ISP rebooted and took varied parts of its community offline, which instantly stopped the DNS poisoning operation.
The attacker aimed toward altering DNS solutions for a number of totally different reputable software replace web sites.
SEE: Why your company should consider implementing DNS security extensions
Paul Rascagneres, risk researcher at Volexity and an writer of the publication, informed TechRepublic in a written interview the corporate doesn’t precisely know the way the risk actors selected the ISP.
“The attackers most likely did some analysis or reconnaissance to establish what’s the sufferer’s ISP,” he wrote. “We don’t know if different ISPs have been compromised; it’s sophisticated to establish it from the surface. StormBamboo is an aggressive risk actor. If this working mode was a hit for them, they might apply it to different ISPs for different targets.”
Official replace mechanisms being abused
A number of software program distributors have been focused by this assault.
As soon as a DNS request from customers was despatched to the compromised DNS server, it answered with an attacker-controlled IP tackle that delivered an actual replace for the software program — but with an attacker’s payload.
The Volexity report confirmed that a number of software program distributors utilizing insecure replace workflows had been involved and offered an instance with a software program named 5KPlayer.
The software program checks for updates for “YoutubeDL” each time it’s began. The test is completed by requesting a configuration file, which signifies if a brand new model is obtainable. In that case, it’s downloaded from a selected URL and executed by the reputable software.
But the compromised ISP’s DNS will lead the appliance to a modified configuration file, which signifies there may be an replace, however delivers a backdoored YoutubeDL bundle.
The malicious payload is a PNG file containing both MACMA or POCOSTICK/MGBot malware, relying on the working system requesting the replace. MACMA infects MacOS, whereas POCOSTICK/MGBot infects Microsoft Home windows working methods.
Malicious payloads
POCOSTICK, also referred to as MGBot, is a customized malware probably developed by StormBamboo, because it has not been utilized by another group, in response to ESET. The malware has existed since 2012 and consists of a number of modules enabling keylogging, file stealing, clipboard interception, audio streams seize, cookie, and credential theft.
Conversely, MACMA permits keylogging, sufferer machine fingerprinting, and display and audio seize. It additionally offers a command line to the attacker and has file-theft capabilities. Google initially reported in 2021 the presence of MACMA malware, utilizing watering gap assaults to be deployed.
The Google assault was not attributed to a risk actor, but it focused guests of Hong Kong web sites for a media outlet and a distinguished pro-democracy labor and political group, in response to Google. This assault aligns with StormBamboo’s concentrating on.
Volexity additionally seen vital code similarities between the newest MACMA model and one other malware household, GIMMICK, utilized by the StormCloud risk actor.
Lastly, in a single case following a sufferer’s macOS machine compromise, Volexity noticed the attacker deploy a malicious Google Chrome extension. The obfuscated code permits the attacker to exfiltrate the browser’s cookies to an attacker-controlled Google Drive account.
How can software program distributors defend customers from cyber threats?
Rascagneres informed TechRepublic that Volexity recognized a number of focused insecure replace mechanisms from totally different software program: 5k Participant, Fast Heal, Sogou, Rainmeter, Partition Wizard, and Corel.
Questioned about the right way to defend and enhance the replace mechanisms on the software program vendor degree, the researcher insists that “the software program editors ought to implement HTTPS replace mechanism and test the SSL certificates of the web site the place the updates are downloaded. Moreover, they need to signal the updates and test this signature earlier than executing them.”
To be able to assist corporations detect StormBamboo exercise on their methods, Volexity offers YARA guidelines to detect the totally different payloads and recommends blocking the Indicators of Compromise the corporate provides.
Disclosure: I work for Development Micro, however the views expressed on this article are mine.