StormBamboo APT Group Breaches ISP to Deliver Malware

August 4, 2024

Volexity, a cybersecurity firm, has revealed that a Chinese APT group known as StormBamboo (also referred to as Evasive Panda, Daggerfly, and StormCloud) has successfully breached an undisclosed ISP. The group used this access to manipulate DNS responses for select organizations, enabling them to install malware on victim machines running macOS and Windows.

During mid-2023, Volexity discovered several malware infections in macOS and Windows systems within targeted organizations. The company was able to trace these attacks back to the StormBamboo APT group. Their investigations revealed that the infections were caused by a DNS poisoning attack executed at the ISP level.

The attackers manipulated DNS responses for domains associated with software updates to deploy various malware families, including MACMA and POCOSTICK (MGBot). The tactics used by StormBamboo bear a striking resemblance to those of another threat actor, DriftingBamboo, suggesting a potential link between the two groups. Daggerfly, another alias for the group, has been active for over a decade and is recognized for its use of the custom MgBot malware framework.

In 2023, Symantec identified a Daggerfly intrusion at an African telecom operator, revealing the group's evolving cyber espionage tactics through the use of new MgBot plugins. Macma, a macOS backdoor first detailed by Google in 2021, was employed by the threat actors in watering hole attacks involving compromised websites in Hong Kong. The malware, used since at least 2019, exploited the privilege escalation vulnerability CVE-2021-30869 to install Macma on macOS devices.

Macma is a multifunctional modular backdoor capable of device fingerprinting, executing commands, screen capture, keylogging, audio capture, and uploading and downloading files. Although widely used in cyber operations by nation-state actors, Macma was not associated with any specific group until now.

"During one incident investigated by Volexity, it was discovered that StormBamboo poisoned DNS requests to deploy malware via an HTTP automatic update mechanism and poison responses for legitimate hostnames that were used as second-stage, command-and-control (C2) servers." reads the report published by Volexity.

The researchers were unable to identify a specific compromised device, but after updating or deactivating various infrastructure components, the malicious activity ceased. StormBamboo targeted multiple software vendors with insecure update mechanisms and used complex methods to deploy malware. They tampered with 5KPlayer’s update process for the “youtube-dl” dependency to deliver a backdoored installer from their C2 servers. Once systems were compromised, the attackers installed a malicious Google Chrome extension called ReloadText to steal browser cookies and email data.

"The incident described in this blog post confirms the supposition made by ESET concerning the infection vector for the POCOSTICK malware. The attacker can intercept DNS requests and poison them with malicious IP addresses, and then use this technique to abuse automatic update mechanisms that use HTTP rather than HTTPS." concludes the report. "This method is similar to the attack vector Volexity previously observed being used by DriftingBamboo following the 0-day exploitation of Sophos Firewalls."

Related News

• Chinese APT Group Daggerfly Enhances Its Malware Arsenal

Latest News

• Chinese APT41 Group Breaches Taiwan Research Institute for Cyber Espionage
• CISA Issues Warning Over VMware ESXi Bug Exploited in Ransomware Attacks
• Black Basta Ransomware Group Adapts with Custom Tools and Malware
• UK Electoral Commission Breach Tied to Unpatched Exchange Server Vulnerabilities
• SideWinder Cyber Attacks Target Maritime Facilities Across Multiple Countries