A new level of sophistication associated with the threat actor Evasive Panda, which is linked to China, compromised an unidentified internet service provider (ISP) to distribute malicious software updates to target businesses in the middle of 2023.
A cyber-espionage group known as Evasive Panda, which also goes by the names Bronze Highland, Daggerfly, and StormBamboo, has been operating since at least 2012 and uses backdoors like MgBot (also known as POCOSTICK) and Nightdoor (also known as NetMM and Suzafk) to steal sensitive data.
A macOS malware strain known as MACMA, which has been seen in the wild since 2021, was officially attributed to the threat actor more recently.
“StormBamboo is a highly skilled and aggressive threat actor who compromises third-parties (in this case, an ISP) to breach intended targets,” Volexity said in a report published last week.
“The variety of malware employed in various campaigns by this threat actor indicates significant effort is invested, with actively supported payloads for not only macOS and Windows, but also network appliances.”
Evasive Panda’s use of MgBot and its track record of orchestrating watering hole and supply chain attacks targeting Tibetan users have been documented in public reports released by Symantec and ESET over the past two years.
MgBot was delivered via update channels of legitimate applications like Tencent QQ, and it was also discovered that it had targeted an international non-governmental organization (NGO) in Mainland China.
While it was speculated that the trojanized updates were either the result of a supply chain compromise of Tencent QQ’s update servers or a case of an adversary-in-the-middle (AitM) attack, Volexity’s analysis confirms it’s the latter stemming from a DNS poisoning attack at the ISP level.
In particular, it is said that the threat actor is altering DNS query responses for particular domains connected to automatic software update mechanisms. This means that the threat actor is targeting software that uses HTTP-based insecure update mechanisms or does not enforce adequate integrity checks on the installers.
“It was discovered that StormBamboo poisoned DNS requests to deploy malware via an HTTP automatic update mechanism and poison responses for legitimate hostnames that were used as second-stage, command-and-control (C2) servers,” researchers Ankur Saini, Paul Rascagneres, Steven Adair, and Thomas Lancaster said.
The assault chains are genuinely clear in that the insecure update components are mishandled to convey either MgBot or MACMA relying upon the operating system used. Volexity said it advised the concerned ISP to remediate the DNS poisoning attack.
One instance also involved modifying the Secure Preferences file to install a Google Chrome extension on the victim’s macOS device. The browser add-on purports to be a tool that loads a page in compatibility mode with Internet Explorer, but its main objective is to exfiltrate browser cookies to a Google Drive account controlled by the adversary.
According to the researchers, “the attacker can intercept DNS requests and poison them with malicious IP addresses, then use this technique to abuse automatic update mechanisms that use HTTP rather than HTTPS.”
