Close Menu
  • Tech Insights
  • Laptops
  • Mobiles
  • Gaming
  • Apps
  • Money
  • Latest in Tech
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram
TechzLab – Tech News, Gadgets, Mobile & IT UpdatesTechzLab – Tech News, Gadgets, Mobile & IT Updates
  • Tech Insights
  • Laptops
  • Mobiles
  • Gaming
  • Apps
  • Money
  • Latest in Tech
TechzLab – Tech News, Gadgets, Mobile & IT UpdatesTechzLab – Tech News, Gadgets, Mobile & IT Updates
Home » StormBamboo Compromises ISP to Spread Malware via Updates
Gaming

StormBamboo Compromises ISP to Spread Malware via Updates

adminBy adminOctober 29, 2024No Comments5 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
Share
Facebook Twitter LinkedIn Pinterest Email

New research from cybersecurity company Volexity revealed details about a highly sophisticated attack deployed by a Chinese-speaking cyberespionage threat actor named StormBamboo.

The threat actor compromised an ISP to modify some DNS answers to queries from systems requesting legitimate software updates. Multiple software vendors were targeted. The altered responses led to malicious payloads served by StormBamboo in addition to the legitimate update files. The payloads targeted both macOS and Microsoft Windows operating systems.

Who is StormBamboo?

StormBamboo — also known as Evasive Panda, Daggerfly, or Bronze Highland — is a China-aligned cyberespionage threat actor, active since at least 2012. The Chinese-speaking group has targeted many organizations that align with Chinese interests worldwide.

Over the years, the group has targeted individuals in mainland China, Hong Kong, Macao, and Nigeria. Additionally, it has targeted entities, including governments, in Southeast Asia, East Asia, the U.S., India, and Australia.

Must-read security coverage

The group has a long history of compromising legitimate infrastructures to infect their targets with custom malware developed for Microsoft Windows and macOS operating systems. The group has deployed watering hole attacks, consisting of compromising a specific website to target its visitors and infect them with malware.

StormBamboo is also capable of running supply chain attacks, such as compromising a software platform, to discreetly infect people with malware.

The group is also capable of targeting Android users.

ISP compromised, DNS responses poisoned

The threat actor managed to compromise a target’s ISP infrastructure to control the DNS responses from that ISP’s DNS servers — mostly consisting of translating domain names to IP addresses, leading them to the correct website. An attacker controlling the server can cause the computers to request a particular domain name to an attacker-controlled IP address. This is exactly what StormBamboo did.

While it is not known how the group compromised the ISP, Volexity reported the ISP rebooted and took various components of its network offline, which immediately stopped the DNS poisoning operation.

The attacker aimed at altering DNS answers for several different legitimate application update websites.

SEE: Why your company should consider implementing DNS security extensions

Paul Rascagneres, threat researcher at Volexity and an author of the publication, told TechRepublic in a written interview the company doesn’t exactly know how the threat actors chose the ISP.

“The attackers probably did some research or reconnaissance to identify what is the victim’s ISP,” he wrote. “We don’t know if other ISPs have been compromised; it is complicated to identify it from the outside. StormBamboo is an aggressive threat actor. If this operating mode was a success for them, they could use it on other ISPs for other targets.”

Legitimate update mechanisms being abused

Multiple software vendors have been targeted by this attack.

Once a DNS request from users was sent to the compromised DNS server, it answered with an attacker-controlled IP address that delivered a real update for the software — yet with an attacker’s payload.

Attack workflow. Image: Volexity
Attack workflow. Image: Volexity

The Volexity report showed that multiple software vendors using insecure update workflows were concerned and provided an example with a software named 5KPlayer.

The software checks for updates for “YoutubeDL” every time it is started. The check is done by requesting a configuration file, which indicates if a new version is available. If so, it is downloaded from a specific URL and executed by the legitimate application.

Yet the compromised ISP’s DNS will lead the application to a modified configuration file, which indicates there is an update, but delivers a backdoored YoutubeDL package.

The malicious payload is a PNG file containing either MACMA or POCOSTICK/MGBot malware, depending on the operating system requesting the update. MACMA infects MacOS, while POCOSTICK/MGBot infects Microsoft Windows operating systems.

Malicious payloads

POCOSTICK, also known as MGBot, is a custom malware possibly developed by StormBamboo, as it has not been used by any other group, according to ESET. The malware has existed since 2012 and consists of several modules enabling keylogging, file stealing, clipboard interception, audio streams capture, cookie, and credential theft.

Conversely, MACMA allows keylogging, victim device fingerprinting, and screen and audio capture. It also provides a command line to the attacker and has file-theft capabilities. Google initially reported in 2021 the presence of MACMA malware, using watering hole attacks to be deployed.

The Google attack was not attributed to a threat actor, yet it targeted visitors of Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group, according to Google. This attack aligns with StormBamboo’s targeting.

Volexity also noticed significant code similarities between the latest MACMA version and another malware family, GIMMICK, used by the StormCloud threat actor.

Finally, in one case following a victim’s macOS device compromise, Volexity saw the attacker deploy a malicious Google Chrome extension. The obfuscated code allows the attacker to exfiltrate the browser’s cookies to an attacker-controlled Google Drive account.

How can software vendors protect users from cyber threats?

Rascagneres told TechRepublic that Volexity identified several targeted insecure update mechanisms from different software: 5k Player, Quick Heal, Sogou, Rainmeter, Partition Wizard, and Corel.

Questioned about how to protect and improve the update mechanisms at the software vendor level, the researcher insists that “the software editors should enforce HTTPS update mechanism and check the SSL certificate of the website where the updates are downloaded. Additionally, they should sign the updates and check this signature before executing them.”

In order to help companies detect StormBamboo activity on their systems, Volexity provides YARA rules to detect the different payloads and recommends blocking the Indicators of Compromise the company provides.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
admin
  • Website

Related Posts

Release Dates for 2025 and Beyond

September 15, 2025

Mario Tennis Fever Preorders Are Live – First Mario Sports Game For Switch 2

September 14, 2025

Honkai: Star Rail Version 3.6 brings new forms for Dan Heng and March 7th, and you can earn one of them for free

September 13, 2025

Comments are closed.

Latest
  • Android will soon be able to theme every app icon, and Google Play won't let developers opt out – Android Authority September 17, 2025
  • Millions of Dell laptops at risk of attack due to security chip flaw — update your PC right now – Tom's Guide September 17, 2025
  • Nvidia CEO Jensen Huang Is Bananas for Google Gemini’s AI Image Generator September 17, 2025
  • Meta announces new Oakley Vanguard smart glasses – here’s how they’re better than the HSTN glasses for athletes September 17, 2025
  • Gamers, SSD price hikes and shortages could soon strike again – take advantage of today’s prices while you still can September 16, 2025
We are social
  • Facebook
  • Twitter
  • Pinterest
  • Instagram
  • YouTube
  • Vimeo

Subscribe to Updates

Get the latest creative news from Techzlab.

Tags
AI Apple artificial intelligence Astranis Boeing ChatGPT cybersecurity data centers DeepMind defense tech doge Donald Trump dual use DVX Ventures Elon Musk evergreens EVs Exclusive Google Grok In Brief iPhone Latent Labs Laude Institute Meta Microsoft nato innovation fund northrop grumman online safety act Openai Perplexity Pinterest robotaxi robotics siri social media Space Force SpaceX Spotify TechCrunch All Stage TechCrunch All Stage 2025 Tesla Trump Administration unicorn wizard of oz
Archives
Quick Link
  • Apps (290)
  • From the Editor (3)
  • Gaming (295)
  • Laptops (297)
  • Latest in Tech (296)
  • Mobiles (298)
  • Money (122)
  • Tech Insights (293)
Don't miss

Meta announces new Oakley Vanguard smart glasses – here’s how they’re better than the HSTN glasses for athletes

September 17, 2025

Colossus: The Forbin Project warned about AI in 1970, now it is quietly vanishing from streaming

September 16, 2025

Check Your Bank Accounts, You Might Spot a Deposit From a Facebook Lawsuit

September 15, 2025
Follow us
  • Facebook
  • Twitter
  • Pinterest
  • Instagram
  • YouTube
  • Vimeo
© 2025 Techzlab.com Designed and Developed by WebExpert.
  • Home
  • From the Editor
  • Money
  • Privacy Policy
  • Contact

Type above and press Enter to search. Press Esc to cancel.