Mac and Windows users infected with software updates delivered by hacked ISP

Researchers say hackers delivered malware to Windows and Mac users by hacking into their Internet service provider and then manipulating software updates sent over unsecure connections.

According to researchers from security firm Volexity, the attack involved hacking routers or similar types of infrastructure on an unnamed ISP’s devices. The attackers then used control of the devices to poison Domain Name System responses to legitimate hostnames, providing updates to at least six different applications written for Windows or macOS. The affected applications included 5KPlayer, Quick Heal, Rainmeter, Partition Wizard, and those from Corel and Sogou.

These are not the update servers you are looking for

Because the update mechanisms did not use TLS or cryptographic signatures to authenticate connections or downloaded software, threat actors were able to leverage their control over the ISP infrastructure to successfully launch machine-in-the-middle (MitM) attacks that directed targeted users to malicious servers rather than those operated by the software vendors. These redirects worked even when users used unencrypted public DNS services such as Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1 rather than an authoritative DNS server provided by the ISP.

“This is the funny/scary part — this wasn’t a hack of the ISP’s DNS servers,” Volexity CEO Steven Adair wrote in an online interview. “This was a breach of the network infrastructure for internet traffic. For example, DNS queries were going to Google’s DNS servers destined for 8.8.8.8. The traffic was intercepted to respond to the DNS queries with the IP address of the attacker’s servers.”

In other words, DNS responses returned by any DNS server would be altered once they reached the compromised ISP’s infrastructure. The only way an end user could thwart the attack was to use DNS over HTTPS or DNS over TLS to ensure that search results were not altered or to avoid any use of applications that deliver unsigned updates over unencrypted connections.

Volexity has provided the following diagram illustrating the attack flow:

For example, the 5KPlayer app uses an unsecure HTTP connection instead of an encrypted HTTPS connection to check if an update is available and, if so, download a configuration file called Youtube.config. StormBamboo, the name used in the industry to track the hacking group responsible, used DNS poisoning to deliver a malicious version of the Youtube.config file from a malicious server. This file, in turn, downloaded a next-stage payload, which was disguised as a PNG image. In reality, it was an executable that installed malware tracked under the names MACMA for macOS devices or POCOSTICK for Windows devices.

MACMA first saw the light of day in 2021 in a post published by Google’s Threat Analysis Group, a team that tracks nation-state-backed malware and cyberattacks. The backdoor was written for macOS and iOS devices and provided a full set of capabilities, including device fingerprinting, screen capture, file downloads and uploads, terminal command execution, audio recording, and keystroke logging.

POCOSTICK, meanwhile, has been in use since at least 2014. Last year, security firm ESET said the malware, which it tracked under the name MGBot, was used exclusively by a Chinese-speaking threat group tracked as Evasive Panda.

ESET researchers determined that the malware was installed via legitimate updates of benign software, but they weren’t sure how. One possibility, the researchers said at the time, was a supply chain attack that replaced legitimate updates with malicious ones at the source. Another possible scenario was a MitM attack on the servers delivering the updates. Volexity’s findings now confirm that the latter explanation is correct.

In at least one recent attack, StormBamboo forced a macOS device to install a browser plugin that Volexity tracks as RELOADEXT. The extension pretends to load web pages to be compatible with Internet Explorer. In reality, Volexity claims, it copies browser cookies and sends them to a Google Drive account controlled by the attackers. The data was base64-encoded and encrypted using the Advanced Encryption Standard. Despite the caution, however, the hackers exposed the client_id, client_secret, and refresh_token in the malicious extension.

Another technique Volexity observed was StormBamboo using DNS poisoning to hijack www.msftconnecttest.com, a domain Microsoft uses to determine whether Windows devices are actively connected to the internet. By replacing the legitimate DNS resolution with an IP address pointing to a malicious site operated by threat actors, they could intercept HTTP requests destined for any host.

Adair would not reveal the identity of the hacked ISP, saying only that it was “not a large, serious provider, nor one that anyone would be familiar with.”

“In our case, the incident is contained, but we see other servers that are actively serving malicious updates, but we don’t know where they’re being served from,” he said. “We suspect there are other active attacks out there that we don’t have visibility into. This could be due to an ISP breach or a local breach of an organization, such as its firewall.”

As mentioned earlier, there are a number of options for preventing this type of attack beyond (1) avoiding all software that updates itself in an insecure manner or (2) using DNS over HTTPS or DNS over TPS. The first method is probably the best, although it probably means having to stop using your preferred application in at least some cases. Alternate DNS configurations are viable, but are currently only offered by a handful of DNS providers, with 8.8.8.8 and 1.1.1.1 being the most well-known.