In a significant cybersecurity breach, a Chinese hacking group identified as StormBamboo has compromised an undisclosed internet service provider (ISP), infecting automatic software updates with malicious software. This group, also known by other names such as Evasive Panda, Daggerfly, and StormCloud, has been active since at least 2012, targeting a diverse array of organizations across mainland China, Hong Kong, Macao, Nigeria, and various Southeast and East Asian countries.
The Attack Unveiled
Volexity threat researchers disclosed that the StormBamboo group exploited insecure HTTP software update mechanisms, which lacked digital signature validation, to deploy malware on Windows and macOS devices of unsuspecting victims. According to Volexity, “When these applications went to retrieve their updates, instead of installing the intended update, they would install malware, including but not limited to MACMA and POCOSTICK (aka MGBot).”
The attackers intercepted and modified DNS requests, redirecting them to malicious IP addresses. This technique allowed them to deliver malware from their command-and-control (C2) servers without requiring any user interaction. For example, they exploited 5KPlayer requests to update the youtube-dl dependency, pushing a backdoored installer hosted on their C2 servers.
Stealthy and Sophisticated
Upon compromising the target systems, StormBamboo installed a malicious Google Chrome extension named ReloadText, which enabled them to harvest and steal browser cookies and email data. Volexity noted, “StormBamboo targeted multiple software vendors using insecure update workflows, employing varying levels of complexity in their malware deployment steps.”
The ISP’s intervention, involving rebooting and taking network components offline, eventually stopped the DNS poisoning. However, the sophistication of the attack underscored the persistent threat posed by such cyber-espionage groups.
A History of Attacks
StormBamboo’s activities have been under scrutiny for years. In April 2023, ESET researchers observed the group deploying the Pocostick (MGBot) Windows backdoor via the automatic update mechanism for the Tencent QQ messaging application, targeting international NGOs. In July 2024, Symantec’s threat hunting team detected the group targeting an American NGO in China and multiple organizations in Taiwan with new versions of the Macma macOS backdoor and Nightdoor Windows malware.
While the precise attack methods were not always clear, researchers believed these incidents involved supply chain attacks or adversary-in-the-middle (AITM) attacks. The ability to control DNS responses at the ISP level was a common thread in these attacks, allowing the hackers to manipulate software update mechanisms to their advantage.
Technical Insights and Takeaways
StormBamboo’s method involved poisoning DNS requests to deploy malware through insecure automatic update mechanisms. The attackers targeted software that used HTTP for updates and did not validate digital signatures of installers. This allowed them to redirect legitimate update requests to malicious servers, resulting in the installation of malware like MACMA and POCOSTICK.
Volexity’s investigation revealed that StormBamboo used DNS poisoning to host modified configuration files indicating new updates were available. These updates contained backdoored versions of legitimate software, such as YoutubeDL, with malicious code embedded within the update files. The ultimate payloads, MACMA for macOS and POCOSTICK for Windows, were designed to compromise the target systems further.
The MACMA malware, first documented by Google TAG in 2021, has evolved significantly over the years, with new features and a revamped network protocol. The latest versions of MACMA showed significant code similarities with the GIMMICK malware family, indicating a convergence in their development.
Post-Exploitation Activities
Following a successful compromise, StormBamboo deployed the malicious ReloadText Chrome extension on victims’ devices. This extension, installed through a custom binary, exfiltrated browser cookies and other sensitive data to a Google Drive account controlled by the attackers. The extension’s code was heavily obfuscated and encrypted to avoid detection.
The sophisticated nature of these attacks highlights the persistent and evolving threat posed by advanced cyber-espionage groups like StormBamboo. Their ability to compromise third-party infrastructure, such as ISPs, and exploit insecure update mechanisms underscores the importance of robust security practices and vigilance in the face of such threats.
Conclusion
StormBamboo’s activities serve as a stark reminder of the vulnerabilities inherent in software update mechanisms that do not enforce strict security measures. The group’s ability to intercept and poison DNS requests, combined with their deployment of advanced malware, poses a significant risk to organizations worldwide.
To mitigate such threats, Volexity recommends organizations use provided detection rules, block identified indicators of compromise (IOCs), and ensure software update mechanisms are secure and validated. The cybersecurity community must remain vigilant and proactive in addressing these sophisticated threats to protect sensitive data and infrastructure from malicious actors.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Unmasking BITSLOTH: The Stealthy Windows Backdoor Exploiting BITS
you are in reality a good webmaster The website loading velocity is amazing It sort of feels that youre doing any distinctive trick Also The contents are masterwork you have done a fantastic job in this topic