New analysis from cybersecurity firm Volexity revealed particulars a few extremely refined assault deployed by a Chinese language-speaking cyberespionage risk actor named StormBamboo.
The risk actor compromised an ISP to change some DNS solutions to queries from techniques requesting official software program updates. A number of software program distributors have been focused. The altered responses led to malicious payloads served by StormBamboo along with the official replace information. The payloads focused each macOS and Microsoft Home windows working techniques.
Who’s StormBamboo?
StormBamboo — also called Evasive Panda, Daggerfly, or Bronze Highland — is a China-aligned cyberespionage risk actor, lively since at the least 2012. The Chinese language-speaking group has focused many organizations that align with Chinese language pursuits worldwide.
Through the years, the group has focused people in mainland China, Hong Kong, Macao, and Nigeria. Moreover, it has focused entities, together with governments, in Southeast Asia, East Asia, the U.S., India, and Australia.
The group has a protracted historical past of compromising official infrastructures to contaminate their targets with customized malware developed for Microsoft Home windows and macOS working techniques. The group has deployed watering gap assaults, consisting of compromising a particular web site to focus on its guests and infect them with malware.
StormBamboo can also be able to operating provide chain assaults, equivalent to compromising a software program platform, to discreetly infect folks with malware.
The group can also be able to concentrating on Android customers.
ISP compromised, DNS responses poisoned
The risk actor managed to compromise a goal’s ISP infrastructure to regulate the DNS responses from that ISP’s DNS servers — largely consisting of translating domains to IP addresses, main them to the right web site. An attacker controlling the server could cause the computer systems to request a specific area identify to an attacker-controlled IP tackle. That is precisely what StormBamboo did.
Whereas it’s not recognized how the group compromised the ISP, Volexity reported the ISP rebooted and took varied parts of its community offline, which instantly stopped the DNS poisoning operation.
The attacker aimed toward altering DNS solutions for a number of completely different official utility replace web sites.
SEE: Why your organization ought to think about implementing DNS safety extensions
Paul Rascagneres, risk researcher at Volexity and an creator of the publication, advised TechRepublic in a written interview the corporate doesn’t precisely understand how the risk actors selected the ISP.
“The attackers probably did some research or reconnaissance to identify what is the victim’s ISP,” he wrote. “We don’t know if other ISPs have been compromised; it is complicated to identify it from the outside. StormBamboo is an aggressive threat actor. If this operating mode was a success for them, they could use it on other ISPs for other targets.”
Reputable replace mechanisms being abused
A number of software program distributors have been focused by this assault.
As soon as a DNS request from customers was despatched to the compromised DNS server, it answered with an attacker-controlled IP tackle that delivered an actual replace for the software program — but with an attacker’s payload.
The Volexity report confirmed that a number of software program distributors utilizing insecure replace workflows have been involved and supplied an instance with a software program named 5KPlayer.
The software program checks for updates for “YoutubeDL” each time it’s began. The verify is finished by requesting a configuration file, which signifies if a brand new model is offered. If that’s the case, it’s downloaded from a particular URL and executed by the official utility.
But the compromised ISP’s DNS will lead the appliance to a modified configuration file, which signifies there may be an replace, however delivers a backdoored YoutubeDL package deal.
The malicious payload is a PNG file containing both MACMA or POCOSTICK/MGBot malware, relying on the working system requesting the replace. MACMA infects MacOS, whereas POCOSTICK/MGBot infects Microsoft Home windows working techniques.
Malicious payloads
POCOSTICK, also called MGBot, is a customized malware probably developed by StormBamboo, because it has not been utilized by another group, based on ESET. The malware has existed since 2012 and consists of a number of modules enabling keylogging, file stealing, clipboard interception, audio streams seize, cookie, and credential theft.
Conversely, MACMA permits keylogging, sufferer gadget fingerprinting, and display screen and audio seize. It additionally offers a command line to the attacker and has file-theft capabilities. Google initially reported in 2021 the presence of MACMA malware, utilizing watering gap assaults to be deployed.
The Google assault was not attributed to a risk actor, but it focused guests of Hong Kong web sites for a media outlet and a outstanding pro-democracy labor and political group, based on Google. This assault aligns with StormBamboo’s concentrating on.
Volexity additionally seen important code similarities between the most recent MACMA model and one other malware household, GIMMICK, utilized by the StormCloud risk actor.
Lastly, in a single case following a sufferer’s macOS gadget compromise, Volexity noticed the attacker deploy a malicious Google Chrome extension. The obfuscated code permits the attacker to exfiltrate the browser’s cookies to an attacker-controlled Google Drive account.
How can software program distributors defend customers from cyber threats?
Rascagneres advised TechRepublic that Volexity recognized a number of focused insecure replace mechanisms from completely different software program: 5k Participant, Fast Heal, Sogou, Rainmeter, Partition Wizard, and Corel.
Questioned about easy methods to defend and enhance the replace mechanisms on the software program vendor stage, the researcher insists that “the software editors should enforce HTTPS update mechanism and check the SSL certificate of the website where the updates are downloaded. Additionally, they should sign the updates and check this signature before executing them.”
With a view to assist firms detect StormBamboo exercise on their techniques, Volexity offers YARA guidelines to detect the completely different payloads and recommends blocking the Indicators of Compromise the corporate offers.
Disclosure: I work for Development Micro, however the views expressed on this article are mine.
