StormBamboo compromises Internet Service Providers and allows them to spread malware via updates


New research from cybersecurity firm Volexity has revealed details about a highly sophisticated attack deployed by a Chinese-speaking cyberespionage threat actor called StormBamboo.

StormBamboo compromised an ISP to modify some DNS responses to queries from systems requesting legitimate software updates. The attack affected several software vendors. The altered responses generated malicious payloads distributed by StormBamboo in addition to legitimate update files. The payloads targeted macOS and Microsoft Windows operating systems.

Who is StormBamboo?

StormBamboo, also known as Evasive Panda, Daggerfly, or Bronze Highland, is a China-aligned cyber espionage actor active since at least 2012. The Chinese-speaking group has targeted many organizations that align with Chinese interests around the world.

Over the years, the group has targeted individuals in mainland China, Hong Kong, Macau and Nigeria. It has also attacked entities, including governments, in Southeast Asia, East Asia, the United States, India and Australia.

The group has a long history of compromising legitimate infrastructures to infect targets with custom malware developed for Microsoft Windows and macOS operating systems. The group has deployed watering hole attacks, which involve compromising a specific website to target its visitors and infect them with malware.

StormBamboo is also capable of executing supply chain attacks, such as compromising a software platform, to discreetly infect people with malware.

The group may also target Android users.

ISP compromised, poisoned DNS responses

The threat actor managed to compromise a target's ISP infrastructure to control DNS responses from that ISP's DNS servers.

DNS servers are primarily responsible for translating domain names into IP addresses, which leads them to the correct website. An attacker who controls the server can have computers request a particular domain name from an IP address controlled by the attacker. This is exactly what StormBamboo did.

While it is not known how the group compromised the ISP, Volexity reported that the ISP rebooted and took several components of its network offline, which immediately halted the DNS poisoning operation.

The attacker attempted to alter the DNS responses of several different legitimate application update websites.

SEE: Why Your Business Should Consider Implementing DNS Security Extensions

Paul Rascagneres, a threat researcher at Volexity and author of the post, told TechRepublic in a written interview that the company doesn't know exactly how the threat actors targeted the ISP.

“The attackers likely did some research or reconnaissance to identify the victim’s ISP,” he wrote. “We don’t know if other ISPs have been compromised; it’s hard to identify from the outside. StormBamboo is an aggressive threat actor. If this mode of operation was successful for them, they could use it on other ISPs for other targets.”

Legitimate update mechanisms are abused

This attack has affected several software vendors.

Once a DNS request was sent from users to the compromised DNS server, it responded with an attacker-controlled IP address that delivered a real software update, but with an attacker's payload.

Workflow of the attack. Image: Volexity

Volexity's report showed that several software vendors using insecure update workflows were concerned and provided an example with a software called 5KPlayer.

The software checks for updates to “YoutubeDL” every time it is launched. The check is performed by requesting a configuration file, which indicates whether a new version is available. If so, it is downloaded from a specific URL and executed by the legitimate application.

However, the compromised ISP's DNS will lead the app to a modified configuration file, indicating that there is an update, but delivering a backdoored YoutubeDL package.

The malicious payload is a PNG file containing either MACMA or POCOSTICK/MGBot malware, depending on the operating system requesting the update. MACMA infects MacOS, while POCOSTICK/MGBot infects Microsoft Windows operating systems.

Malicious payloads

POCOSTICK, also known as MGBot, is a custom malware possibly developed by StormBamboo, as it has not been used by any other group, according to ESET. The malware has been around since 2012 and consists of several modules that enable keylogging, file theft, clipboard interception, audio stream capture, cookie theft, and credential theft.

In contrast, MACMA allows keylogging, fingerprinting of the victim's device, and screen and audio capture. It also provides a command line to the attacker and has file-stealing capabilities. Google initially reported the presence of MACMA malware in 2021, using watering hole attacks to deploy it.

The Google attack was not attributed to a threat actor, but targeted visitors to the Hong Kong websites of a media outlet and a prominent pro-democracy political and labor group, according to Google. This attack is similar to the StormBamboo attack.

Volexity also detected significant code similarities between the latest version of MACMA and another malware family, GIMMICK, used by the StormCloud threat actor.

Finally, in a case where a victim’s macOS device was compromised, Volexity saw the attacker deploy a malicious Google Chrome extension. The obfuscated code allows the attacker to extract browser cookies to a Google Drive account controlled by the attacker.

How can software vendors protect users from cyber threats?

Rascagneres told TechRepublic that Volexity identified several insecure update mechanisms targeted by different programs: 5k Player, Quick Heal, Sogou, Rainmeter, Partition Wizard, and Corel.

Asked about how to protect and improve update mechanisms at the software vendor level, the researcher insists that “software publishers should implement the HTTPS update mechanism and check the SSL certificate of the website where the updates are downloaded. In addition, they should sign the updates and check this signature before running them.”

To help organizations detect StormBamboo activity on their systems, Volexity provides YARA rules to detect the different payloads and recommends blocking the indicators of compromise provided by the company.

Divulgation: I work for Trend Micro, but the opinions expressed in this article are my own.

scroll to top