Image: MidjourneyA Chinese hacking group tracked as StormBamboo has compromised an undisclosed internet service provider (ISP) to poison automatic software updates with malware.
Also tracked as Evasive Panda, Daggerfly, and StormCloud, this cyber-espionage group has been active since at least 2012, targeting organizations across mainland China, Hong Kong, Macao, Nigeria, and various Southeast and East Asian countries.
On Friday, Volexity threat researchers revealed that the Chinese cyber-espionage gang had exploited insecure HTTP software update mechanisms that didn’t validate digital signatures to deploy malware payloads on victims’ Windows and macOS devices.
“When these applications went to retrieve their updates, instead of installing the intended update, they would install malware, including but not limited to MACMA and POCOSTICK (aka MGBot),” cybersecurity company Volexity explained in a report published on Friday.
To do that, the attackers intercepted and modified victims’ DNS requests and poisoned them with malicious IP addresses. This delivered the malware to the targets’ systems from StormBamboo’s command-and-control servers without requiring user interaction.
For instance, they took advantage of 5KPlayer requests to update the youtube-dl dependency to push a backdoored installer hosted on their C2 servers.
After compromising the target’s systems, the threat actors installed a malicious Google Chrome extension (ReloadText), which allowed them to harvest and steal browser cookies and mail data.
StormBamboo attack flow (Volexity)
“Volexity observed StormBamboo targeting multiple software vendors, who use insecure update workflows, using varying levels of complexity in their steps for pushing malware,” the researchers added.
“Volexity notified and worked with the ISP, who investigated various key devices providing traffic-routing services on their network. As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped.”
In April 2023, ESET threat researchers also observed the hacking group deploying the Pocostick (MGBot) Windows backdoor by abusing the automatic update mechanism for the Tencent QQ messaging application in attacks targeting international NGOs (non-governmental organizations).
Almost a year later, in July 2024, Symantec’s threat hunting team spotted the Chinese hackers targeting an American NGO in China and multiple organizations in Taiwan with new Macma macOS backdoor and Nightdoor Windows malware versions.
In both cases, although the attackers’ skill was evident, the researchers believed it was either a supply chain attack or an adversary-in-the-middle (AITM) attack but weren’t able to pin down the exact attack method.