Close Menu
  • Tech Insights
  • Laptops
  • Mobiles
  • Gaming
  • Apps
  • Money
  • Latest in Tech
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram
TechzLab – Tech News, Gadgets, Mobile & IT UpdatesTechzLab – Tech News, Gadgets, Mobile & IT Updates
  • Tech Insights
  • Laptops
  • Mobiles
  • Gaming
  • Apps
  • Money
  • Latest in Tech
TechzLab – Tech News, Gadgets, Mobile & IT UpdatesTechzLab – Tech News, Gadgets, Mobile & IT Updates
Home » StormBamboo Compromises ISP to Spread Malware via Updates
Gaming

StormBamboo Compromises ISP to Spread Malware via Updates

adminBy adminOctober 29, 2024No Comments5 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
Share
Facebook Twitter LinkedIn Pinterest Email

New research from cybersecurity company Volexity revealed details about a highly sophisticated attack deployed by a Chinese-speaking cyberespionage threat actor named StormBamboo.

The threat actor compromised an ISP to modify some DNS answers to queries from systems requesting legitimate software updates. Multiple software vendors were targeted. The altered responses led to malicious payloads served by StormBamboo in addition to the legitimate update files. The payloads targeted both macOS and Microsoft Windows operating systems.

Who is StormBamboo?

StormBamboo — also known as Evasive Panda, Daggerfly, or Bronze Highland — is a China-aligned cyberespionage threat actor, active since at least 2012. The Chinese-speaking group has targeted many organizations that align with Chinese interests worldwide.

Over the years, the group has targeted individuals in mainland China, Hong Kong, Macao, and Nigeria. Additionally, it has targeted entities, including governments, in Southeast Asia, East Asia, the U.S., India, and Australia.

Must-read security coverage

The group has a long history of compromising legitimate infrastructures to infect their targets with custom malware developed for Microsoft Windows and macOS operating systems. The group has deployed watering hole attacks, consisting of compromising a specific website to target its visitors and infect them with malware.

StormBamboo is also capable of running supply chain attacks, such as compromising a software platform, to discreetly infect people with malware.

The group is also capable of targeting Android users.

ISP compromised, DNS responses poisoned

The threat actor managed to compromise a target’s ISP infrastructure to control the DNS responses from that ISP’s DNS servers — mostly consisting of translating domain names to IP addresses, leading them to the correct website. An attacker controlling the server can cause the computers to request a particular domain name to an attacker-controlled IP address. This is exactly what StormBamboo did.

While it is not known how the group compromised the ISP, Volexity reported the ISP rebooted and took various components of its network offline, which immediately stopped the DNS poisoning operation.

The attacker aimed at altering DNS answers for several different legitimate application update websites.

SEE: Why your company should consider implementing DNS security extensions

Paul Rascagneres, threat researcher at Volexity and an author of the publication, told TechRepublic in a written interview the company doesn’t exactly know how the threat actors chose the ISP.

“The attackers probably did some research or reconnaissance to identify what is the victim’s ISP,” he wrote. “We don’t know if other ISPs have been compromised; it is complicated to identify it from the outside. StormBamboo is an aggressive threat actor. If this operating mode was a success for them, they could use it on other ISPs for other targets.”

Legitimate update mechanisms being abused

Multiple software vendors have been targeted by this attack.

Once a DNS request from users was sent to the compromised DNS server, it answered with an attacker-controlled IP address that delivered a real update for the software — yet with an attacker’s payload.

Attack workflow. Image: Volexity
Attack workflow. Image: Volexity

The Volexity report showed that multiple software vendors using insecure update workflows were concerned and provided an example with a software named 5KPlayer.

The software checks for updates for “YoutubeDL” every time it is started. The check is done by requesting a configuration file, which indicates if a new version is available. If so, it is downloaded from a specific URL and executed by the legitimate application.

Yet the compromised ISP’s DNS will lead the application to a modified configuration file, which indicates there is an update, but delivers a backdoored YoutubeDL package.

The malicious payload is a PNG file containing either MACMA or POCOSTICK/MGBot malware, depending on the operating system requesting the update. MACMA infects MacOS, while POCOSTICK/MGBot infects Microsoft Windows operating systems.

Malicious payloads

POCOSTICK, also known as MGBot, is a custom malware possibly developed by StormBamboo, as it has not been used by any other group, according to ESET. The malware has existed since 2012 and consists of several modules enabling keylogging, file stealing, clipboard interception, audio streams capture, cookie, and credential theft.

Conversely, MACMA allows keylogging, victim device fingerprinting, and screen and audio capture. It also provides a command line to the attacker and has file-theft capabilities. Google initially reported in 2021 the presence of MACMA malware, using watering hole attacks to be deployed.

The Google attack was not attributed to a threat actor, yet it targeted visitors of Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group, according to Google. This attack aligns with StormBamboo’s targeting.

Volexity also noticed significant code similarities between the latest MACMA version and another malware family, GIMMICK, used by the StormCloud threat actor.

Finally, in one case following a victim’s macOS device compromise, Volexity saw the attacker deploy a malicious Google Chrome extension. The obfuscated code allows the attacker to exfiltrate the browser’s cookies to an attacker-controlled Google Drive account.

How can software vendors protect users from cyber threats?

Rascagneres told TechRepublic that Volexity identified several targeted insecure update mechanisms from different software: 5k Player, Quick Heal, Sogou, Rainmeter, Partition Wizard, and Corel.

Questioned about how to protect and improve the update mechanisms at the software vendor level, the researcher insists that “the software editors should enforce HTTPS update mechanism and check the SSL certificate of the website where the updates are downloaded. Additionally, they should sign the updates and check this signature before executing them.”

In order to help companies detect StormBamboo activity on their systems, Volexity provides YARA rules to detect the different payloads and recommends blocking the Indicators of Compromise the company provides.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
admin
  • Website

Related Posts

How many people can play PEAK together? – Destructoid

June 21, 2025

Split Fiction Switch 2 review: an absurd co-op adventure that just needs some refinement on Nintendo’s new handheld

June 20, 2025

GTA 6 trailer spark speculation over potential Sony-Rockstar partnership

June 19, 2025

Comments are closed.

Latest
  • How many people can play PEAK together? – Destructoid June 21, 2025
  • Apple unveils Pride edition sport band, watch face, and wallpapers to celebrate LGBTQ+ diversity – All details June 21, 2025
  • It’s 2025 and Apple has still not fixed this ancient Mac bug – but here’s a solution June 21, 2025
  • Indian government issues security warning for Windows laptops, desktop users: Here is how to secure your data – financialexpress.com June 21, 2025
  • NYT Strands hints and answers for Sunday, June 22 (game #476) June 21, 2025
We are social
  • Facebook
  • Twitter
  • Pinterest
  • Instagram
  • YouTube
  • Vimeo

Subscribe to Updates

Get the latest creative news from Techzlab.

Tags
Ada Ventures Alphabet Amazon Discount Anthropic Apple Automatic Clear cybersecurity data centers Disrupt 2025 doge Donald Trump Elon Musk emissions entry level tech jobs Exclusive First matter foodtech Fundraise Google In Brief legal tech matt mullenweg Mega Tablet Days Meta Nikola Openai Perplexity Pinterest Polar Shopify signalfire social media SpaceX Spotify TechCrunch Disrupt TechCrunch Disrupt 2025 TechCrunch Week in Review Tesla Trump Administration uber freight UK venture vw WordPress
Archives
Quick Link
  • Apps (225)
  • From the Editor (3)
  • Gaming (224)
  • Laptops (225)
  • Latest in Tech (225)
  • Mobiles (226)
  • Money (49)
  • Tech Insights (225)
Don't miss

Think that new Minecraft mod is safe? It could be malware stealing your data – over 1,500 players already hit

June 21, 2025

Best Windows Laptop for 2025

June 20, 2025

How you can get Microsoft 365 (formerly Office) for free – 3 easy ways

June 19, 2025
Follow us
  • Facebook
  • Twitter
  • Pinterest
  • Instagram
  • YouTube
  • Vimeo
© 2025 Techzlab.com Designed and Developed by WebExpert.
  • Home
  • From the Editor
  • Money
  • Privacy Policy
  • Contact

Type above and press Enter to search. Press Esc to cancel.