APT StormBamboo compromised a undisclosed internet service provider (ISP) to poison DNS queries and thus deliver malware to target organizations, Volexity researchers have shared.
Malware delivery via automatic software updates
StormBamboo (aka Evasive Panda, aka StormCloud), a Chinese-speaking threat actor that focuses on cyberespionage, has a penchant for compromising third parties to breach intended targets.
In April 2023, ESET researchers documented the threat actor targeting an international NGO in China with malicious updates, but weren’t able to pinpoint whether these updates were delivered through supply-chain compromise or adversary-in-the-middle attacks.
A bit after, while responding to incidents in which malware that points to StormBamboo’s involvement has been used, Volexity researchers determined that the group was altering DNS query responses for specific domains tied to automatic software update mechanisms.
“StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers. Therefore, when these applications went to retrieve their updates, instead of installing the intended update, they would install malware, including but not limited to MACMA and POCOSTICK (aka MGBot).”
After compromising systems with MACMA (a Mac backdoor) or MGBot (the group’s signature Windows backdoor), the attackers would deploy a Google Chrome extension to the victim’s device.
The extension professed to help loading web pages in compatibility mode with Internet Explorer, but it covertly grabbed and exfiltrated browser cookies to a Google Drive account controlled by the attacker.
DNS poisoning at the ISP level
After discovering the malicious updates, Volexity incident responders first suspected a compromise of the victim organization’s firewall, but soon found that the DNS poisoning was being performed further upstream at the ISP level.
How StormBamboo delivered malicious updates (Source: Volexity)
The ISP was contacted and checked the devices providing traffic-routing services on their network. “As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped,” they added.
While Volexity did not discover how the DNS entries were modified on the compromised device(s) operated by the ISP, they say that CATCHDNS – malware that can intercept DNS and HTTP requests and has been previously used by another Chinese-speaking threat actor – might have been leveraged in these attacks.
Two weeks ago, Symantec’s threat hunters reported on StormBamboo’s use of an Apache HTTP server vulnerability to deliver the MgBot malware, their use of a new Windows backdoor (Nightdoor), and said that the APT can create versions of its tools targeting most major operating system platforms.
“Symantec has seen evidence of the ability to Trojanize Android APKs, SMS interception tools, DNS request interception tools, and even malware families targeting Solaris OS. Daggerfly appears to be capable of responding to exposure by quickly updating its toolset to continue its espionage activities with minimal disruption,” they said.