StormBamboo exposes ISP to risk of spreading malware via updates

New research from cybersecurity firm Volexity has revealed details of a highly sophisticated attack carried out by a Chinese-speaking cyber espionage group called StormBamboo.

StormBamboo compromised the security of an ISP to modify some DNS responses to queries from systems requesting legitimate software updates. The attack targeted multiple software vendors. The modified responses led to malicious payloads served by StormBamboo in addition to legitimate update files. The payloads targeted both macOS and Microsoft Windows operating systems.

Who is StormBamboo?

StormBamboo — also known as Evasive Panda, Daggerfly, or Bronze Highland — is a China-linked cyber espionage actor active since at least 2012. The Chinese-speaking group has targeted numerous organizations linked to Chinese interests around the world.

Over the years, the group has targeted individuals in mainland China, Hong Kong, Macau, and Nigeria. It has also targeted entities, including governments, in Southeast Asia, East Asia, the United States, India, and Australia.

The group has a long history of compromising legitimate infrastructures in order to infect its targets with custom malware developed for Microsoft Windows and macOS operating systems. The group has implemented watering hole attacks, which involve compromising a specific website in order to attack its visitors and infect them with malware.

StormBamboo can also conduct supply chain attacks, such as hacking into software platforms to silently infect people with malware.

The group may also target Android users.

ISP Compromised, DNS Responses Poisoned

An attacker managed to hack into an Internet Service Provider (ISP) infrastructure to gain control over DNS responses from the ISP’s DNS servers.

DNS servers are primarily comprised of translating domain names into IP addresses, directing them to the correct website. An attacker controlling the server can cause computers to request a specific domain name to an IP address controlled by the attacker. That’s exactly what StormBamboo did.

While it is not known how the group breached the Internet Service Provider (ISP) system, Volexity reported that the ISP rebooted and disabled various components of its network, which immediately halted the DNS poisoning operation.

The attacker wanted to change the DNS responses of several different legitimate app update sites.

SEE: Why Your Business Should Consider Deploying DNS Security Extensions

Paul Rascagneres, a threat researcher at Volexity and the author of the paper, told TechRepublic that the company doesn’t know exactly how attackers choose ISPs.

“The attackers likely did some research or reconnaissance to identify the victim’s ISP,” he wrote. “We don’t know if other ISPs were compromised; it’s difficult to identify them externally. StormBamboo is an aggressive threat actor. If this MOA was successful for them, they could use it on other ISPs for other purposes.”

Abuse of legal update mechanisms

Multiple software vendors have been targeted by this attack.

When DNS requests from users were sent to the infected DNS server, it responded with an attacker-controlled IP address that delivered a legitimate software update — but with an attacker payload.

The Volexity report found that a number of software vendors using insecure update processes were concerned and cited an example of software called 5KPlayer.

The software checks for updates for “YoutubeDL” every time it is launched. This is done by requesting a configuration file that indicates if a new version is available. If so, it is downloaded from a specified URL and executed by the legitimate application.

However, the infected ISP’s DNS server will lead the application to a modified configuration file that indicates the presence of an update but delivers a hidden YoutubeDL package.

The malicious payload is a PNG file containing either MACMA or POCOSTICK/MGBot malware, depending on the operating system requesting the update. MACMA infects macOS, while POCOSTICK/MGBot infects Microsoft Windows operating systems.

Malicious payloads

POCOSTICK, also known as MGBot, is a custom malware, likely developed by StormBamboo, as it has not been used by any other group, according to ESET. The malware has been around since 2012 and consists of several modules capable of keystroke logging, file theft, clipboard hijacking, audio stream interception, cookie capture, and credential theft.

On the other hand, MACMA allows for keystroke logging, fingerprinting of the victim’s device, and screen and audio capture. It also provides the attacker with a command line and file theft capabilities. Google first reported the presence of MACMA malware in 2021, using watering hole attacks to deploy it.

The Google attack was not attributed to any threat actor, but it targeted visitors to Hong Kong media websites and prominent pro-democracy labor and political groups, according to Google. The attack is consistent with StormBamboo’s goal.

Volexity also noticed significant code similarities between the latest version of MACMA and another malware family, GIMMICK, used by StormCloud cybercriminals.

Finally, in one case, after a victim’s macOS device was compromised, Volexity saw the attacker deploy a malicious Google Chrome extension. The obfuscated code allowed the attacker to steal browser cookies to an attacker-controlled Google Drive account.

How can software vendors protect users from cyber threats?

Rascagneres told TechRepublic that Volexity identified several targeted, malicious update mechanisms in various programs: 5k Player, Quick Heal, Sogou, Rainmeter, Partition Wizard, and Corel.

When asked about how to protect and improve update mechanisms at the software vendor level, the researcher urges that “software editors should enforce the HTTPS update mechanism and check the SSL certificate of the site from which updates are downloaded. In addition, they should sign updates and check this signature before executing them.”

To help companies detect StormBamboo activity on their systems, Volexity provides YARA rules to detect various payloads and recommends blocking indicators of compromise provided by the company.

Disclosure: I work at Trend Micro but the views expressed in this article are my own.