Chinese hacker group StormBamboo has launched a malware attack on both Windows and macOS systems by exploiting a compromised internet service provider (ISP).
Since 2012, this infamous group has been carrying out cyber-espionage under the aliases Evasive Panda, Daggerfly, and StormCloud. They are targeting companies in mainland China, Hong Kong, Macao, Nigeria, and a number of Southeast and East Asian nations.
In April 2023, ESET researchers discovered a threat actor sending malicious updates to an international NGO in China. They were unable to tell whether the updates had been uploaded via a supply-chain hack or an adversary-in-the-middle attack.
Threat researchers from Volexity disclosed on Friday that a Chinese cyber-espionage group managed to attack users’ Windows and macOS machines with malware by using weak HTTP software update methods that did not verify digital signatures.
According to Volexity’s report, when these applications requested to download updates, they instead installed malware, including MACMA and POCOSTICK (also known as MGBot). Researchers have linked this threat actor to the MACMA macOS malware strain, which has been active since 2021.
How The Hackers Misuse DNS To Spread Malware
In the most recent attack, hackers employed a more sophisticated technique, taking advantage of vulnerable automatic update systems in the software environment of the victim.
Furthermore, this clever method didn’t require any user input. Since authentic applications usually send an HTTP request to fetch a text file with the most recent version and an installation link, the attack exploited a design vulnerability in automatic updates.
Attackers intercepted and changed victims’ DNS queries, adding fake IP addresses. This method allowed attackers to deploy malware from StormBamboo’s command-and-control servers with no user involvement.
A JavaScript popup that prompted victims to “update their browser” appeared on their website. By clicking on this popup, a malicious file was downloaded from the attacker’s site.
In one scenario, a malicious Google Chrome extension was loaded onto the victim’s macOS device by modifying the Secure Preferences file. The extension claimed to allow compatibility mode with Internet Explorer, but its actual function was to harvest browser cookies and transfer them to the attacker’s Google Drive account.
Volexity discovered that StormBamboo employs a range of complexity to spread malware, targeting a variety of software companies with insecure update techniques.
Symantec’s threat hunters noted two weeks ago that StormBamboo delivered the MgBot malware via an Apache HTTP server vulnerability. Threat hunters also noticed the deployment of Nightdoor, a new Windows backdoor, and revealed that the APT can customise its techniques to target most major operating system platforms.
StormBamboo is a highly competent and aggressive threat actor known to compromise third parties, such as ISPs, to reach their intended targets. The extensive number of malware used in the attacks demonstrates a significant effort.
At Phishing Tackle, we know all too well that security technology is often left incorrectly configured, demonstrated by our free Domain Spoofing Test which currently gets past around 50% of users security systems.
Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Have a look at our free Click-Prone® Test to find out how many of your staff are susceptible to a phishing attack and learn how you can reduce this number today.