Friend
Professional
- Messages
- 2,653
- Reaction score
- 847
- Points
- 113
Volexity has uncovered a sophisticated campaign by China's StormBamboo that hacked an unnamed Internet Service Provider (ISP) to deploy malware through automatic updates.
StormBamboo, also known as Evasive Panda, Daggerfly, and StormCloud, has been active since 2012, targeting organizations in China, Hong Kong, Macau, Nigeria, and various Southeast and East Asian countries.
The subject used insecure HTTP software update mechanisms that did not verify digital signatures to deploy malware, including but not limited to MACMA and POCOSTICK (MGBot), on the devices of Windows and macOS victims.
To do this, hackers intercepted and modified victims ' DNS requests, promoting malicious IP addresses and delivering malware to target systems with C2 StormBamboo without user interaction.
For example, they used 5KPlayer's requests to update the youtube-dl dependency to implement an installer hosted on their C2 servers.
After hacking the target's systems, the attackers deployed a malicious extension for Google Chrome (ReloadText), which allowed them to collect and steal browser cookies and mail data.
Volexity noticed that StormBamboo attacks several software vendors that use insecure update processes, applying different levels of complexity at the stages of malware distribution.
Earlier in April 2023, ESET researchers also observed a hacker group using the Pocostick backdoor (MGBot) for Windows, abusing Tencent's automatic QQ update mechanism in attacks targeting international NGOs.
Almost a year later, in July 2024, Symantec detected Chinese hackers attacking an American NGO in China and several organizations in Taiwan using new versions of the Macma backdoor for macOS and the Nightdoor malware for Windows.
In both cases, the researchers believed that it was either a supply chain attack or an AITM-type attack, but then they were unable to determine the exact method of attack.
• Source: https://www.volexity.com/blog/2024/...to-abuse-insecure-software-update-mechanisms/
StormBamboo, also known as Evasive Panda, Daggerfly, and StormCloud, has been active since 2012, targeting organizations in China, Hong Kong, Macau, Nigeria, and various Southeast and East Asian countries.
The subject used insecure HTTP software update mechanisms that did not verify digital signatures to deploy malware, including but not limited to MACMA and POCOSTICK (MGBot), on the devices of Windows and macOS victims.
To do this, hackers intercepted and modified victims ' DNS requests, promoting malicious IP addresses and delivering malware to target systems with C2 StormBamboo without user interaction.
For example, they used 5KPlayer's requests to update the youtube-dl dependency to implement an installer hosted on their C2 servers.
After hacking the target's systems, the attackers deployed a malicious extension for Google Chrome (ReloadText), which allowed them to collect and steal browser cookies and mail data.
Volexity noticed that StormBamboo attacks several software vendors that use insecure update processes, applying different levels of complexity at the stages of malware distribution.
Earlier in April 2023, ESET researchers also observed a hacker group using the Pocostick backdoor (MGBot) for Windows, abusing Tencent's automatic QQ update mechanism in attacks targeting international NGOs.
Almost a year later, in July 2024, Symantec detected Chinese hackers attacking an American NGO in China and several organizations in Taiwan using new versions of the Macma backdoor for macOS and the Nightdoor malware for Windows.
In both cases, the researchers believed that it was either a supply chain attack or an AITM-type attack, but then they were unable to determine the exact method of attack.
• Source: https://www.volexity.com/blog/2024/...to-abuse-insecure-software-update-mechanisms/
