The China-linked threat actor Evasive Panda, also known as StormBamboo, compromised an unnamed internet service provider (ISP) to push malicious software updates to target companies in mid-2023.
Evasive Panda, aka Bronze Highland and Daggerfly, has been active since at least 2012. The group is notorious for using backdoors like MgBot (also known as POCOSTICK) and Nightdoor (aka NetMM and Suzafk) to extract sensitive information. In mid-2023, cybersecurity firm Volexity uncovered multiple instances of systems infected with malware linked to StormBamboo. The malware affected both macOS and Windows systems within the victim organizations' networks.
The method of infection was initially unclear but was later traced to a DNS poisoning attack at the ISP level. Volexity discovered that StormBamboo was altering DNS query responses for specific domains associated with automatic software update mechanisms. The tactic targeted software with insecure update processes, such as those using HTTP without proper digital signature validation of installers. When these applications attempted to retrieve updates, they instead downloaded and installed malware, including MACMA and POCOSTICK.
Initially, Volexity suspected a firewall compromise within the victim organization, but further investigation revealed that the DNS poisoning occurred upstream, at the ISP level. By controlling DNS responses, the threat actors redirected HTTP requests to their command-and-control (C2) servers, hosting malicious update files and installers.
StormBamboo targeted multiple software vendors with insecure update workflows, employing varying levels of complexity to push malware. For example, the 5KPlayer software routinely checks for updates of “YoutubeDL” each time it starts.
StormBamboo used DNS poisoning to host a modified configuration file, prompting the software to download a backdoored upgrade package. This package contained malicious code within the YouTubeDL.py file, designed to download the next stage payload, a PNG file embedding MACMA (for macOS) or POCOSTICK (for Windows).
In one instance, following the successful compromise of a macOS device, Volexity observed StormBamboo deploying a malicious Google Chrome extension, tracked as RELOADEXT, to the victim's device. The purpose of this extension is to exfiltrate browser cookies to a Google Drive account controlled by the attacker, the report said.