Known threat actor with ties to China Panda on the run In mid-2023, the group compromised an anonymous Internet Service Provider (ISP) and pushed malicious software updates to targeted businesses, highlighting a new level of sophistication for the group.
Evasive Panda, also known as Bronze Highland, Daggerfly and StormBamboo, is a cyberespionage group active since at least 2012, using backdoors such as MgBot (aka POCOSTICK) and Nightdoor (aka NetMM and Suzafk) to collect sensitive information.
More recently, the threat actor was officially found to be using a macOS malware strain dubbed MACMA, which has been observed in the wild since around 2021.
“StormBamboo is a highly skilled and aggressive threat actor that exploits third parties, in this case ISPs, to compromise their targets,” Volexity said in a report published last week.
“The diversity of malware used by this threat actor across different campaigns, with active support for payloads for macOS and Windows as well as network appliances, indicates a significant amount of effort being put into it.”
Public reports from ESET and Symantec over the past two years have documented Evasive Panda’s use of MgBot and its track record of orchestrating watering hole and supply chain attacks targeting users in Tibet.
They were also found distributing MgBot through legitimate application update channels, such as Tencent QQ, to target international non-governmental organizations (NGOs) in mainland China.
It had been speculated that the trojanized updates were the result of a supply chain compromise of Tencent QQ’s update servers or a man-in-the-middle (AitM) attack, but Volexity’s analysis confirms that the latter was caused by a DNS poisoning attack at the ISP level.
Specifically, the threat actors are said to be modifying DNS query responses for specific domains associated with automatic software update mechanisms, targeting software that used insecure update mechanisms such as HTTP or that did not perform proper integrity checks on their installers.
“We found that StormBamboo was tampering with DNS requests and spoofing responses for legitimate hostnames that were being used as second-stage command and control (C2) servers in order to deploy malware via an HTTP auto-update mechanism,” said researchers Ankur Saini, Paul Rascagneres, Steven Adair, and Thomas Lancaster.
The attack chain is fairly simple in that it exploits an insecure update mechanism to deliver either MgBot or MACMA depending on the operating system being used. Volexity says that it has notified the ISPs involved to fix the DNS poisoning attack.
In one instance, the attacker was required to modify the SecurePreferences file and deploy a Google Chrome extension to a victim’s macOS device. The browser add-on purports to be a tool to load pages in compatibility mode with Internet Explorer, but its main purpose is to exfiltrate browser cookies to an attacker-controlled Google Drive account.
“Attackers can intercept DNS requests, pollute them with malicious IP addresses, and use this technique to exploit auto-update mechanisms that use HTTP instead of HTTPS,” the researchers said.
