New research from cybersecurity company Volexity has revealed details about a highly sophisticated attack carried out by a Chinese-speaking cyber espionage threat actor called Stormbamboo.
StormBamboo compromised an ISP to modify certain DNS responses to queries from systems requesting legitimate software updates. Several software vendors were targeted. The altered responses led to malicious payloads being served by StormBamboo in addition to legitimate update files. The payloads targeted both macOS and Microsoft Windows operating systems.
Who is Stormbamboo?
Contents
StormBamboo – also known as Evasive Panda, Daggerfly, or Bronze Highland – is a China-affiliated cyber espionage threat actor that has been active since at least 2012. The Chinese-speaking group has targeted numerous organizations linked to Chinese interests around the world.
Over the years, the group has targeted individuals in mainland China, Hong Kong, Macau, and Nigeria. It has also targeted entities, including governments, in Southeast Asia, East Asia, the US, India, and Australia.
The group has a long history of compromising legitimate infrastructure to infect its targets with custom malware developed for Microsoft Windows and macOS operating systems. The group has deployed watering hole attacks, which involve compromising a specific website to target its visitors and infecting them with malware.
Stormbamboo is also capable of performing supply chain attacks, such as compromising software platforms, in order to covertly infect people with malware.
This group is also capable of targeting Android users.
ISPs compromised, DNS responses toxic
The threat actor was able to compromise the target’s ISP infrastructure in order to control DNS responses from that ISP’s DNS servers.
DNS servers are mostly involved in converting domain names into IP addresses, so they lead to the correct website. An attacker controlling the server can trick computers into requesting a particular domain name on an IP address controlled by the attacker. This is exactly what StormBamboo did.
While it is not known how the group compromised the ISP, Volexity reports that the ISP rebooted and took various components of its network offline, immediately stopping the DNS poisoning operation.
The attacker’s goal was to alter the DNS answers of several different legitimate application update websites.
Look: Why your company should consider implementing DNS security extensions
Paul Rascagneras, a threat researcher at Volexity and author of the publication, told TechRepublic in a written interview that the company does not know exactly how the threat actors selected the ISPs.
“The attackers would likely have done some research or reconnaissance to identify the victim’s ISP,” he wrote. “We don’t know if other ISPs have been compromised; identifying this from the outside is complicated. Stormbamboo is an aggressive threat actor. If this operating mode was successful for them, they could use it on other ISPs for other targets.”
Legitimate update mechanisms are being abused
Several software vendors have been targeted in this attack.
When DNS requests from users were sent to the compromised DNS server, it responded with an IP address controlled by the attacker, which delivered a genuine update to the software – but with the attacker’s payload.
The Volexity report revealed that several software vendors using insecure update workflows were of concern and gave the example of a software called 5KPlayer.
The software checks for updates for “YoutubeDL” every time it starts. The check is done by requesting a configuration file, which indicates if a new version is available. If so, it is downloaded from a specific URL and executed by the legitimate application.
Nevertheless, the compromised ISP’s DNS will direct the application to a modified configuration file indicating there is an update but providing a backdoor YoutubeDL package.
The malicious payload is a PNG file containing either the MACMA or POCOSTICK/MGBot malware, depending on the operating system requesting the update. MACMA infects MacOS, while POCOSTICK/MGBot infects the Microsoft Windows operating system.
Malicious Payloads
POCOSTICK, also known as MGBot, is likely a custom malware developed by StormBamboo, as it has not been used by any other group, according to ESET. This malware has existed since 2012 and consists of several modules enabling keylogging, file theft, clipboard interception, audio stream capture, cookie and credential theft.
In contrast, MACMA allows keylogging, victim device fingerprinting, and screen and audio capture. It also provides command line access to the attacker and has file stealing capabilities. Google initially reported the existence of the MACMA malware in 2021, which was used to deploy watering hole attacks.
According to Google, the attack on Google was not caused by a threat actor, yet it targeted visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labour and political group. This attack matches the targeting of Stormbamboo.
Volexity also observed significant code similarities between the latest MACMA variant and GIMMICK, another malware family used by the Stormcloud threat actor.
Finally, in one case, after a victim’s macOS device was compromised, Volexity observed the attacker deploy a malicious Google Chrome extension. The obfuscated code allows the attacker to send the browser’s cookies to a Google Drive account controlled by the attacker.
How can software vendors protect users from cyber threats?
Rascagneres told TechRepublic that Volexity has identified several targeted vulnerable update mechanisms from various software: 5k Player, Quick Heal, Sogou, Rainmeter, Partition Wizard, and Corel.
When asked about the security and improvement of the update mechanism at the software vendor level, the researcher stressed that “software editors should implement HTTPS update mechanism and check the SSL certificate of the website from where the updates are downloaded. Additionally, they should sign the updates and check this signature before executing them.”
To help companies detect Stormbamboo activity on their systems, Volexity provides YARA rules for detecting various payloads and recommends blocking based on company-provided compromise indicators.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
#Stormbamboo #compromised #ISPs #spread #malware #updates