A China-linked threat actor known as Evasive Panda compromised an unnamed internet service provider (ISP) to push malicious software updates to target companies in mid-2023. Evasive Panda, also known by the names Bronze Highland, Daggerfly, and StormBamboo, is a cyber espionage group that has been active since at least 2012. “StormBamboo is a highly skilled and aggressive threat actor who compromises third-parties (in this case, an ISP) to breach intended targets,” said cybersecurity firm Volexity in a report published last week.
“The variety of malware employed in various campaigns by this threat actor indicates significant effort is invested, with actively supported payloads for not only macOS and Windows, but also network appliances.”
The threat actor altered DNS query responses for specific domains tied to automatic software update mechanisms, targeting software that uses insecure update mechanisms, such as HTTP, or does not enforce adequate integrity checks of the installers. “It was discovered that StormBamboo poisoned DNS requests to deploy malware via an HTTP automatic update mechanism and poison responses for legitimate hostnames that were used as second-stage, command-and-control (C2) servers,” researchers Ankur Saini, Paul Rascagneres, Steven Adair, and Thomas Lancaster said.
Evasive Panda compromises ISP security
The attack chains are fairly straightforward in that the insecure update mechanisms are abused to deliver either MgBot or MACMA depending on the operating system used. Volexity said it notified the concerned ISP to remediate the DNS poisoning attack. One instance also entailed the deployment of a Google Chrome extension on the victim’s macOS device by modifying the Secure Preferences file.
The browser add-on purported to be a tool that loads a page in compatibility mode with Internet Explorer, but its main objective was to exfiltrate browser cookies to a Google Drive account controlled by the adversary. “The attacker can intercept DNS requests and poison them with malicious IP addresses, and then use this technique to abuse automatic update mechanisms that use HTTP rather than HTTPS,” the researchers said.
