close
close

Chinese APT Group Uses DNS Poisoning for Espionage

Posted on by darion

Cyber ​​Warfare / Nation State Attacks, Fraud Management and Cybercrime

StormBamboo targets automated software update systems to deploy malware

Akshay Asokan (asokan_akshaya) •
August 5, 2024

Chinese APT Group Uses DNS Poisoning for Espionage
Photo: Shutterstock

Security researchers say a state-owned hacking group linked to Chinese cyberespionage infected an internet service provider to redirect software update connections to an attacker’s server, which downloaded the malware.

Volexity Security Company discovered the campaign, attributing it to a threat group it tracks as StormBamboo. The group, also known as EasivePanda, pulled a Macma backdoor on victims. The Symantec Threat Hunter Team recently attributed Macma to a group it tracks as Daggerfly, a likely state-backed threat actor that has targeted pro-democracy activists in Hong Kong (see: Chinese cyber espionage group expands malware arsenal).

Volexity researchers first discovered this campaign last year. The threat actor infiltrated an unidentified ISP to poison domain name responses, specifically software update requests sent by applications that do not verify installer digital signatures. Volexity said the threat actor targeted multiple software vendors, but it named just one: the 5KPLayer audiovisual player, streamer, and downloader.

Every time 5KPlayer starts, it checks for a new version of the open-source YouTube downloader, youtube-dl. “StormBamboo used DNS poisoning to host a modified configuration file indicating that a new update was available. This caused the YoutubeDL software to download an update package from the StormBamboo server,” Volexity wrote. The “update package” hosted by the threat actor-controlled server contained a Macma backdoor.

Google first discovered Macma in 2021. Many security researchers have noticed improvements to the backdoor since then. Volexity says the latest samples it has detected show overlap with other malware, which it attributes to the same threat actor, which it calls “Gimmick.” The company identified Gimmick as being used in a late 2021 hacking incident involving a MacBook Pro.

Because the attackers launched the campaign from an Internet service provider (ISP), detecting the attacks was initially challenging. Researchers assumed that the attackers could have gained initial access by breaching the victim’s firewall.

“Volexity notified and worked with the ISP, who examined various key devices providing traffic routing services on their network. Once the ISP rebooted and disabled various network components, the DNS poisoning immediately ceased,” the researchers said.