China-linked hackers compromise internet service providers to deploy malicious software updates

August 5, 2024Ravi LakshmananBrowser Security / Windows Security

China-linked threat actor known as Evading Panda in mid-2023, compromised an anonymous internet service provider (ISP) to send malicious software updates to targeted companies, indicating a new level of sophistication associated with the group.

Evasive Panda, also known as Bronze Highland, Daggerfly, and StormBamboo, is a cyberespionage group that has been operating since at least 2012 and uses backdoors such as MgBot (also known as POCOSTICK) and Nightdoor (also known as NetMM and Suzafk) to gather sensitive information.

Recently, the threat actor was formally attributed to using a strain of macOS malware called MACMA, which was observed in the wild as early as 2021.

“StormBamboo is a highly skilled and aggressive actor that compromises the security of third parties (in this case, Internet service providers) to undermine its intended targets,” Volexity said in a report published last week.

“The variety of malware used in different campaigns by this threat actor indicates a significant amount of effort is being put into it, with payloads being actively supported not only for macOS and Windows systems, but also networked devices.”

Public reports from ESET and Symantec over the past two years have revealed that Evasive Panda uses MgBot and has a history of organizing attacks on sanctuaries and supply chains targeting Tibetan users.

It was also determined that the target of the attack was an international non-governmental organization (NGO) in mainland China, and MgBot was delivered via update channels of legitimate apps such as Tencent QQ.

There was speculation that the infected updates were either the result of a supply chain breach of Tencent QQ’s update servers or a case of an adversary-in-the-middle (AitM) attack, however Volexity’s analysis confirms that the latter option was due to an ISP-level DNS poisoning attack.

Specifically, the attacker was expected to alter DNS query responses for specific domains associated with software automatic update mechanisms, targeting software that used insecure update mechanisms such as HTTP, or did not enforce proper integrity checks on installers.

“StormBamboo was found to be poisoning DNS requests to deploy malware via an HTTP auto-update mechanism and poisoning responses for legitimate hostnames that were used as second-stage command and control (C2) servers,” said researchers Ankur Saini, Paul Rascagneres, Steven Adair, and Thomas Lancaster.

The attack chains are fairly straightforward, with malicious update mechanisms being abused to deliver either MgBot or MACMA depending on the operating system being used. Volexity said it has notified the relevant ISP to fix the DNS poisoning attack.

In one case, a Google Chrome extension was also deployed on a victim’s macOS device, modifying the Secure Preferences file. The browser add-on is supposed to be a tool that loads a page in Internet Explorer compatibility mode, but its main purpose is to steal browser cookies to a Google Drive account controlled by the adversary.

“An attacker could intercept DNS requests and poison them with malicious IP addresses, then use this technique to abuse auto-update mechanisms that use HTTP rather than HTTPS,” the researchers said.